Title: Oracle Intelligent Agent Vulnerability
Severity: INFO
Description:
A vulnerability in the Oracle Intelligent Agent allows local malicious users to execute arbitrary commands and to create world writable files as the root user.
The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root and setgid dba program trusts the environment variable ORACLE_HOME without verifying its contents. This vulnerability can be exploited in a number of ways.
The dbsnmp program calls a tcl script ( nmiconf.tcl ) located by default in $ORACLE_HOME/network/agent/config. A malicious user can craft his own nmiconf.tcl script and fool the dbsnmp program to execute as root.
When run without ORACLE_HOME being set, dbsnmp will dump two log files out into the current working directory: dbsnmpc and dbsnmpt . If these files do not exist, dbsnmp will attempt to create them mode 666 and dump around 400 bytes of uncontrollable output into them. If the files do exist, dbsnmp will append these 400 bytes but not change the permissions. Thus a malicious user can create world writable files in the system that do not exist (e.g. /.rhosts).
Affected Products:
- HP HP-UX 11.0.0
- HP HP-UX 11.11.0
- Oracle Oracle7 7.3.3
- Oracle Oracle7 7.3.4
- Oracle Oracle8 8.0.3
- Oracle Oracle8 8.0.4
- Oracle Oracle8 8.0.5
- Oracle Oracle8 8.0.5.1
- Oracle Oracle8 8.1.5
- RedHat Linux 6.1.0 i386
- RedHat Linux 6.2.0 i386
- Sun Solaris 2.6_x86
References:
- Oracle: Oracle Support Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
