| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: cpujan2006 client issues
Please see comments inline below:
Ray Stell wrote:
>1. 343382.1 says, "One vulnerability (DBC02) is in a utility that can
>be forced to terminate if given long arguments, potentially allowing
>code of an attacker's choice to be executed. However, this utility is
>not installed with setuid (elevated) privileges, so the risk that it
>can be effectively exploited is very low."
>
>
This sounds like a pretty fair assessment. So long as the program does
not run with
setuid privileges, the risk is only modest. In order to exploit the
bug, one would have
to "trick" a user (or program) with "elevated" privileges to invoke the
affected executable
on their behalf, supplying very carefully crafted arguments.
Is this a risk? Sure. But not a big one. If I can fool somebody with
"root" or "oracle"
privileges to run /bin/sh (or vi, or emacs, or find, or ...) with
arbitrary parameters that
I supply, I will pretty much "own" that system. Given that there are
hundreds (or
thousands) of programs whose "normal" (and bug-free) operation provides
this kind
of "exposure", I don't think I'll lose much sleep over some "bug" that
provides a
similar exposure.
Still, if it doesn't take extraordinary effort to correct (e.g.,
patching the Oracle client
software on 10,000 end-user workstations), the extra precaution is
probably worthwhile.
> Do we know if a patched server vulnerable to this client issue?
>
>
>
Probably. In general, the "database server" is a (large) superset of
the database client,
isn't it?
> Isn't is a bit absurd to think the risk is low because of
> the default install characteristics? What, black hats
> don't know how to use the chmod cmd?
>
>
Sure they do. So what?
If a "blackhat" is able to 'chmod' ANY executable to make it setuid to
"oracle" or
"root" (or anything other than him/her self) it's pretty much all over,
isn't it? "chmod"
(setuid) is a privileged operation. If the blackhat can do that, you're
already hacked.
I suppose, though, that this *could* be a (not so) subtle way to install
a backdoor on
a system that has already be broken, though...
>2. 343384.1 says, "Please do not open an issue with Support for additional
>information on the vulnerabilities.
>
> So, how do I get an answer to the above questions?
>
>
How did I do?
>3. I asked these questions on the metalink unix installation forum yesterday.
>Today, my note is gone. "I'm speechless, I am without speech."
>
>
Interesting... I wonder if somebody hacked the Metalink Forums
database... ;-)
Nah!
I understand your annoyance, though. I understand the ban on opening
TARs (I guess)
but shutting down user discussion on the forums is another thing entirely...
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Feb 01 2006 - 19:27:41 CST
 |
 |