'ASI Oracle Security Alert: CHOWN Path Environment Variable Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ASI Oracle Security Alert: CHOWN Path Environment Variable Vulnerability
From:       "Aaron C. Newman" <aaron () newman-family ! com>
Date:       2001-11-30 20:40:44
[Download RAW message or body]

CHOWN Path Environment Variable Vulnerability

For additional details, the official advisories from Oracle
Corporation can be downloaded from:
http://otn.oracle.com/deploy/security/pdf/dbsmp_alert.pdf

Summary:
The vulnerability only affects Oracle 8.0.5 and 8.1.5.
The dbsnmp file executes the CHOWN and CHGRP commands on several
files. It references these files without fully-qualifying the path.
This allows an attacker to set the PATH environment variable to run
the CHOWN and CHGRP commands on the attacker's version of the files.
This vulnerability can result in an attacker gaining root access if
the dbsnmp is setuid root.

Fix: Remove the setuid bit from the file (chmod -s dbsnmp) or upgrade
the database to Oracle release 8.1.6 or higher. It does not appear
that Oracle will be releasing a patch for this vulnerability.

Background:
This vulnerability is based on the Oracle Enterprise Manager
Intelligent Agent. This issue exists because the executable file for
this process, dbsnmp, runs with the setuid bit enabled. That means
this problems ONLY EXIST ON UNIX (OR LINUX) VERSIONS OF ORACLE. If
you are not using the Intelligent Agent, you should remove the setuid
bit from this process. You can also avoid this issue by restricting
access to the Oracle operating system files. Only database
administrators should have access to these files.

The Oracle Intelligent Agent performs the following functions:
-Provides local services or calling operating system dependent
services to interact locally with the managed targets.
-Checks for events, and queuing the resulting event reports for
Oracle Enterprise Manager.
-Runs Oracle Enterprise Manager jobs, collecting their results and
output, and/or queuing the results as required.
-Cancels jobs or events as directed by the Console or other
applications.
-Handles requests to send SNMP traps for events if SNMP is supported
on the Intelligent Agent's platform.


Thank you,
support@appsecinc.com
Application Security, Inc.
phone: 212-490-6022
-Protection Where It Counts-

----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com

As pioneers in application security, we are an organization
dedicated to the security, defense, and protection of one
of the most commonly overlooked areas of security — the
application layer. Application Security, Inc. provides
solutions to proactively secure (penetration testing/vulnerability
assessment), actively defend/monitor (intrusion detection), and
protect (encryption) your most critical applications.

----------------------------------------------------------------------
To unsubscribe from this list, send an email to
unsubscribe@appsecinc.com with the word
"unsubscribe oracle" in the subject list.
----------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic