COMMAND

    oidldapd

SYSTEMS AFFECTED

    oidldapd in Oracle 8.1.7

PROBLEM

    Following  is  based  on  a  Plazasite  Security  Advisory by Juan
    Manuel Pascual Escriba.  oidldapd is a Oracle Internet  Directory.
    Oracle Ldap Daemon.  The actual version is 2.1.1.1

    There is a write permision checking error in oidldapd that can  be
    used by local users to write any file in local machine.  Any  user
    with local access, can write any file.

    This Feature seems to be  new with oidldapd in OID  2.1.1.1/8.1.7.
    We couldn't reproduce  it with oidldapd  in OID 2.0.6.3  and seems
    to be very dangerous.  Look at this.  In tested system occurs  the
    next:

        my ORACLE_HOME=/work/oracle8ir3

        oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog
        oracle@dimoniet log]$ ls -alc
        total 12
        drwxr-xrwx    2    oracle    orainstall    4096    Dec    12 05:03 .
        drwxr-xrwx   13    oracle    orainstall    4096    Dec    10 18:50 ..

    Ok .. nothing in logs ... lets go to execute oidldapd.

        oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd
        oracle@dimoniet log]$ ls -alc
        total 12
        drwxr-xrwx    2    oracle   orainstall    4096    Dec    12 05:03 .
        drwxr-xrwx    13   oracle   orainstall    4096    Dec    10 18:50 ..
        -rw-r--r--    1    root     orainstall      86    Dec    12 05:26 oidldapd00.log

    Ups ... owned by root ? ...  no comment about .. what about ln  -s
    /vmlinuz ./oidldapd00.log?  Or shared libraries?

SOLUTION

    Oracle  recommends   that  customers   implement  the    following
    workaround:  change the file permissions to 710 on the  'oidldapd'
    and 'oidmon' executables.  These permissions will limit access (to
    the executables) to a small, privileged group of users on the host
    machine.

    Oracle has comprehensively fixed these vulnerabilities in the  OID
    2.0, Release 2.0.6.3, patch set on Solaris and in the  forthcoming
    OID 2.1, Release 2.1.1.1, patch set.  The OID 2.0.6.3 patch set is
    available on  Metalink, Oracle's  Support Services  site.   Oracle
    intends to produce this patch on additional platforms as well.