Oracle installations with the 'Oracle Intelligent Agent' installed have a path related vulnerability. The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root program calls a tcl script (nmiconf.tcl) located by default in $ORACLE_HOME/network/agent/config. The problem is that the dbsnmp script relies on an environment variable (the path to nmiconf.tcl) which can be a set by a user. Therefore, intruders can force the script to execute a trojaned version of nmiconf.tcl which will run as root.
0f333e0cee58f483618cb5b045cda5dd5f3845e5f50149416ee043fd7957d53a