COMMAND
oidldapd
SYSTEMS AFFECTED
oidldapd in Oracle 8.1.7
PROBLEM
Following is based on a Plazasite Security Advisory by Juan
Manuel Pascual Escriba. oidldapd is a Oracle Internet Directory.
Oracle Ldap Daemon. The actual version is 2.1.1.1
There is a write permision checking error in oidldapd that can be
used by local users to write any file in local machine. Any user
with local access, can write any file.
This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7.
We couldn't reproduce it with oidldapd in OID 2.0.6.3 and seems
to be very dangerous. Look at this. In tested system occurs the
next:
my ORACLE_HOME=/work/oracle8ir3
oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog
oracle@dimoniet log]$ ls -alc
total 12
drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 .
drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 ..
Ok .. nothing in logs ... lets go to execute oidldapd.
oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd
oracle@dimoniet log]$ ls -alc
total 12
drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 .
drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 ..
-rw-r--r-- 1 root orainstall 86 Dec 12 05:26 oidldapd00.log
Ups ... owned by root ? ... no comment about .. what about ln -s
/vmlinuz ./oidldapd00.log? Or shared libraries?
SOLUTION
Oracle recommends that customers implement the following
workaround: change the file permissions to 710 on the 'oidldapd'
and 'oidmon' executables. These permissions will limit access (to
the executables) to a small, privileged group of users on the host
machine.
Oracle has comprehensively fixed these vulnerabilities in the OID
2.0, Release 2.0.6.3, patch set on Solaris and in the forthcoming
OID 2.1, Release 2.1.1.1, patch set. The OID 2.0.6.3 patch set is
available on Metalink, Oracle's Support Services site. Oracle
intends to produce this patch on additional platforms as well.