Vulnerability

    Oracle

Affected

    Oracle 8.1.5.0.1 for Linux

Description

    Keyser Soze found  following.  During  the installation of  Oracle
    8.1.5.0.1  for   Linux  the   installer  creates   the   directory
    /tmp/orainstall  (owned  by  oracle:dba,  mode  711).  Inside that
    directory it  creates a  shell script  called orainstRoot.sh (mode
    777).  After that,  the installer stops and  asks you to run  this
    script as root.  There are two big problems here:

    1. The installer blindly writes to orainstRoot.sh without checking
       if it  exists, is  a regular  file or  if it  is even  owned by
       oracle.  An attacker may be able to use this to gain access  to
       the    oracle    account    by    creating    a    .rhosts   or
       .ssh/authorized_keys in  oracle's home  directory.   After that
       they could connect to your database as INTERNAL...

    2. Any  user   can  run  shell   commands  as  root   by   editing
       orainstRoot.sh before root executes it.

    Soze found  this using  an 8.1.5i  for Linux/Intel  CD that Oracle
    shipped him. The part number is F54997-01.

Solution

    It  is  not  recommended  installing  Oracle on machines with user
    accounts,  but  if  you  must  you  can  eliminate this problem by
    creating /tmp/orainstall/ with  proper permissions before  you run
    the installer. So, for a typical installation:

        mkdir /tmp/orainstall
        chmod 700 /tmp/orainstall
        chown oracle:dba /tmp/orainstall