TUCoPS :: Oracle :: al199902.txt

Oracle oratclsh vulnerability 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                       AL-1999.002  --  AUSCERT ALERT
                       Oracle oratclsh vulnerability
                              7 May 1999

===========================================================================

PROBLEM:  

	AusCERT has received information that the oratclsh program supplied
	with some versions of Oracle 8.x as part of the Intelligent Agent
	package may be installed with incorrect privileges on Unix hosts.
	These privileges may allow local users to gain privileged access
	to either the Oracle system or Unix host depending on the specific
	configuration problem.

	Information regarding this vulnerability has been made publicly
	available.

PLATFORM: 
          
	This vulnerability is known to be present on Oracle 8.0.5 under
	Solaris 2.6.  It has also been reported to affect other versions of 
	Oracle and other Unix platforms with Oracle installed.  

	All sites running a Unix version of Oracle 8.x are encouraged to
	take the steps outlined in the "Solution" section.

IMPACT:   

	Local Unix users may gain privileged access on hosts with
	vulnerable versions of oratclsh installed.  Depending on the
	configuration this may be leveraged to compromise not only the
	Oracle installation but also the Unix host it is installed on.

SOLUTION: 

	At this time, it has not been determined which specific versions
	of Oracle 8.x may be affected.  Therefore, all sites running Oracle
	8.x on Unix platforms are encouraged to check for the presence of
	the oratclsh program, and if found, restrict the privileges on
	it.

	Typically, the oratclsh program (if installed) is located at
	$ORACLE_HOME/bin/oratclsh.  You can check for it's presence and
	permissions by executing:

		% ls -l $ORACLE_HOME/bin/oratclsh

	If you are not sure whether oratclsh has been installed in the
	standard location you may wish to run the following command as
	root:

		# find / -name oratclsh -print

	If the program has the setuid (or setgid) bit set then your version
	of oratclsh is vulnerable and users may be able to gain the
	privileges of the owner (or group) of oratclsh.  If the owner is
	root then they can get Unix privileged (super-user) access.  If
	it is the oracle installation user or DBA they can gain those
	privileges.

	To remove the vulnerability oratclsh should have the setuid and
	setgid bit removed and it's ownership set to the userid that the
	Oracle product was installed under.

	This can done by executing the following commands as root.

	First, change ownership of oratclsh (as root):

		# chown <ORACLE_OWNER> $ORACLE_HOME/bin/oratclsh

	where <ORACLE_OWNER> is the userid that the Oracle product was
	installed under (typically "oracle").

	Second, remove setuid/setgid permissions of oratclsh (as root):

		# chmod 755 $ORACLE_HOME/bin/oratclsh


- ---------------------------------------------------------------------------
AusCERT thanks Dan Sugalski and John Ritchie of Oregon University System
for the original report and assistance in the preparation of this alert.
AusCERT also acknowledges other posters to the bugtraq mailing list.
- ---------------------------------------------------------------------------

AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:  Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBN7LjzSh9+71yA2DNAQEV2QP/SPsrLDW02LwnrLzQfH/7B6DFEpepDHQN
W4GXyqkioZUH1SQXBXVYNKBdnTIZnRzLsz/mu0I/2auEJWtWuvGJ87TU3kdLiqQv
b8StsebO3aSXf2Q0VjW8j/tvl0qbyFS7Oxsr7iwlFX2Wm6f/L+0MkI71wypo7FId
4kVbjwch8Gw=
=HNE5
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH