On Tue, 16 Nov 1999, Elias Levy wrote:
> One must wonder if Oracle fixed the real problem (dbsnmp being suid root
> and trusting ORACLE_HOME) or whether they simply fixed the way the exploit
> the problem originally posted by Gilles, thus leaving the exploit by Brook
> still working.
> I would appreciate it if someone could apply the patch and verify that
> neither of the attack methods work any longer.
I installed the patch. I'm running Oracle 8.0.5 on SPARC Solaris 2.6 with
recommended patches and y2k patches.
The Oracle patch changed dbsnmp so that other had no permissions. When I
set my group to Oracle and ran it without ORACLE_HOME set, it did create
the log files in the current dir (/tmp), but it didn't follow the symlink
to /.rhosts and create that, so it looks like they did in fact fix it.
> Finally, Martin Mevald <[EMAIL PROTECTED]> claims that "tnslsnr" suid
> program is similarly vulnerable under Linux Oracle 8.0.5. Can someone
> verify this claim? Can someone verify Oracle versions other than Linux for
> this vulnerability? Can someone let us know whether this binary is part
> of the Oracle Intelligent Agent? And if so, can someone let us know if
> the Oracle patch fixes the vulnerability in tnslsnr?
This binary is not suid on SPARC Solaris 2.6. I don't believe it is part
of Intelligent Agent. If I remember correctly, tnslsnr is the product
that listens for Oracle connections from other machines, so it's part of
the core product.
-Adam
