|
Vulnerability Oracle Affected Oracle 8.1.5.0.1 for Linux Description Keyser Soze found following. During the installation of Oracle 8.1.5.0.1 for Linux the installer creates the directory /tmp/orainstall (owned by oracle:dba, mode 711). Inside that directory it creates a shell script called orainstRoot.sh (mode 777). After that, the installer stops and asks you to run this script as root. There are two big problems here: 1. The installer blindly writes to orainstRoot.sh without checking if it exists, is a regular file or if it is even owned by oracle. An attacker may be able to use this to gain access to the oracle account by creating a .rhosts or .ssh/authorized_keys in oracle's home directory. After that they could connect to your database as INTERNAL... 2. Any user can run shell commands as root by editing orainstRoot.sh before root executes it. Soze found this using an 8.1.5i for Linux/Intel CD that Oracle shipped him. The part number is F54997-01. Solution It is not recommended installing Oracle on machines with user accounts, but if you must you can eliminate this problem by creating /tmp/orainstall/ with proper permissions before you run the installer. So, for a typical installation: mkdir /tmp/orainstall chmod 700 /tmp/orainstall chown oracle:dba /tmp/orainstall