Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: oracle06.htm

Oracle setuid program vulnerability





    Gilles Parc discovered a new security problem with Oracle on Unix.
    Once again, it's  with a setuid  program.  Do  not confuse with  a
    similar problem corrected by ORACLE   some month ago with a  patch

    If you have installed Oracle  Intelligent agent, you will find  in
    $ORACLE_HOME/bin a program called dbsnmp.  This program is  setuid
    root and was DELIBERATELY EXCLUDED by Oracle in the  forementioned
    patch.  The security hole resides  in the fact  that this  program
    executes  a  tcl  script  (  nmiconf.tcl  ) located by default  in

    Needless to say that  you can easily bypass this default and  have
    your own malicious nmiconf.tcl script run under root privileges.

    This has been verify on HP-UX 10.20 with  Oracle 7.3.3 and
    on AIX 4.3 with Oracle, but it's probably Unix generic.


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH