Oracle for Linux Installer Vulnerability
BID:1035
Info
Oracle for Linux Installer Vulnerability
| Bugtraq ID: | 1035 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 05 2000 12:00AM |
| Updated: | Mar 05 2000 12:00AM |
| Credit: | This vulnerability was reported to the Bugtraq mailing list by Keyser Soze <[email protected]> on March 6, 2000. |
| Vulnerable: |
Oracle Oracle8i Standard Edition 8.1.5 |
| Not Vulnerable: | |
Discussion
Oracle for Linux Installer Vulnerability
A vulnerability exists in the installation program for Oracle 8.1.5i. The Oracle installation scripts will create a directory named /tmp/orainstall, owned by oracle:dba, mode 711. Inside of this directory it will create a shell script named orainstRoot.sh, mode 777. The installation script will then stop and ask the person installing to run this script. The installation program at no point attempts to determine if the directory or script already exist. This makes it possible to create a symbolic link from the orainstRoot.sh file to elsewhere on the file system. This could be used to create a .rhosts file, for instance, and gain access to the root account. In addition, since the orainstRoot.sh file is mode 777, it is possible for any user on the machine to edit this script to execute arbitrary commands when run by root. Again, this can result in the compromise of the root account.
It is not readily apparent what versions of Oracle this does and does not affect. It has been confirmed on Oracle 8.1.5i, on the Linux/Intel platform. It is likely that this vulnerability may exists in other versions, and on other platforms. If you have any information about this, please mail us at: [email protected].
A vulnerability exists in the installation program for Oracle 8.1.5i. The Oracle installation scripts will create a directory named /tmp/orainstall, owned by oracle:dba, mode 711. Inside of this directory it will create a shell script named orainstRoot.sh, mode 777. The installation script will then stop and ask the person installing to run this script. The installation program at no point attempts to determine if the directory or script already exist. This makes it possible to create a symbolic link from the orainstRoot.sh file to elsewhere on the file system. This could be used to create a .rhosts file, for instance, and gain access to the root account. In addition, since the orainstRoot.sh file is mode 777, it is possible for any user on the machine to edit this script to execute arbitrary commands when run by root. Again, this can result in the compromise of the root account.
It is not readily apparent what versions of Oracle this does and does not affect. It has been confirmed on Oracle 8.1.5i, on the Linux/Intel platform. It is likely that this vulnerability may exists in other versions, and on other platforms. If you have any information about this, please mail us at: [email protected].
Exploit / POC
Oracle for Linux Installer Vulnerability
mkdir /tmp/orainstall
ln -sf /.rhosts /tmp/orainstall/orainstRoot.sh
mkdir /tmp/orainstall
ln -sf /.rhosts /tmp/orainstall/orainstRoot.sh
Solution / Fix
Oracle for Linux Installer Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
A suitable work around may be to create the orainstall directory prior to running the install scripts. This can be done as follows:
mkdir /tmp/orainstall
chmod 700 /tmp/orainstall
chown oracle:dba /tmp/orainstall
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
A suitable work around may be to create the orainstall directory prior to running the install scripts. This can be done as follows:
mkdir /tmp/orainstall
chmod 700 /tmp/orainstall
chown oracle:dba /tmp/orainstall