From xforce@iss.net Tue Aug 24 06:04:19 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Cc: X-Force Date: Mon, 23 Aug 1999 17:34:53 -0400 (EDT) Subject: ISSalert: ISS Security Advisory: Root Compromise Vulnerabilities in Oracle 8 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory August 23, 1999 Root Compromise Vulnerabilities in Oracle 8 Synopsis: Internet Security Systems (ISS) X-Force has discovered vulnerabilities in superuser owned executables that may allow local root compromise. Attackers may uses these vulnerabilities to create, destroy, or modify any file on the system, including files owned by the superuser. This attack may be particularly useful to gain complete control of the database system, to manipulate Oracle database files, or to deny service. Affected Versions: ISS X-Force has determined that all current versions of Oracle 8 for Unix are vulnerable. These versions include: 8.03, 8.04, 8.05 and 8.15. Oracle 8 for Windows NT is not affected by these vulnerabilities. Description: Oracle has made a recent effort to secure setuid administrative tools shipped with Oracle 8. Certain utilities are still shipped with the setuid bit enabled. The superuser also owns these utilities. ISS X-Force has determined that these vulnerabilities are still exploitable in the most current revisions of Oracle 8. The vulnerabilities described in this advisory are similar to those described in the May 6th ISS X-Force Advisory titled, "Multiple File system Vulnerabilities in Oracle 8." These vulnerabilities are also a result of implicit trust of Oracle system environment variables, as well as insecure file creation and manipulation. The combined effect of these vulnerabilities may allow local attackers to create, append to, or overwrite any file on the file-system as well as privileged oracle files. Temporary files that follow symbolic links are a common source of vulnerabilities in setuid executables. Administrators should remove or restrict access to setuid executables if possible. Developers of setuid programs need to take special precautions to prevent the introduction of vulnerabilities of this nature. The ISS X-Force recommends that all Unix developers become familiar with Matt Bishop's secure programming guide, available at http://olympus.cs.ucdavis.edu/~bishop/secprog.html Fix Information: ISS X-Force has worked with Oracle to provide a patch for the vulnerabilities described in this advisory. This patch is available to the public on technet.oracle.com. The direct URL is http://technet.oracle.com/misc/agent/section.htm. Oracle has provided the following information to answer any questions concerning these vulnerabilities. The FAQ is available in HTML format at http://technet.oracle.com/misc/agent/faq.htm. 1. Do I need to upgrade my databases to 8.0.5 or 8.0.6 in order to pick up this fix? No! The Agent may be upgraded on its own, without affecting the version of the databases it manages. To do this, install the Agent and the appropriate patch in a separate Oracle Home. This Agent will be able to manage all targets on its node, irrespective of their versions. 2. What can I do until the fix is available on my platform? While waiting for the fix to be available on your platform, you may use the following workaround: Create a Unix user with normal permissions under which the Agent runs Enterprise Manager jobs. Note: This means all jobs submitted through the Enterprise Manager Console will now run as the 'normal user' instead of the user specified as preferred credentials within the Console. Additionally the 'normal user' will only have access to the \ORACLE_HOME\Agent directory, unless otherwise specified by the system administrator. Finally, the Agent will only start as the 'normal user.' Steps to apply the workaround: On the system on which the Agent resides, choose/create a Unix user with normal permissions on the system. This user must not be: (A) The user who installed the Oracle RDBMS Server and other Oracle products on the system OR (B) A user with root privileges. The user must belong to a normal group and not "dba". For example: 1. Create a user "agent" belonging to group "agentgrp". 2. Install an Agent in a new Oracle Home as user "agent". Note: DO NOT run the root.sh script under this Oracle Home as part of this installation process. 3. Shutdown the old Agent. 4. Copy files from the Oracle Home of the old Agent to the Oracle Home of the newly installed Agent as follows: cp $ORACLE_HOME(old)/network/agent/* $ORACLE_HOME(new)/network/agent Important: Make sure that the user "agent" owns all files under the $ORACLE_HOME(new)/network/agent directory. 5. Using a terminal window that has the environment of user "agent", start the Agent with: lsnrctl dbsnmp_start For further security, job system access can be prevented if you are using Enterprise Manager version 2.0. To do so, log into the Enterprise Manager Console as a Super Administrator. Using the System -> Manage Administrators option, edit the General Preferences, deactivating 'Access to Job System' for each Administrator you wish to prevent from using the job system. If you are not comfortable with this workaround, suspend the use of the Agent until the fix is available on your platform. ISS X-Force recommends that all administrators also complete a proactive survey of their Oracle installations to determine which machines require the Intelligent Agent. Additional Information: Dan Ingevaldson of the ISS X-Force primarily researched these vulnerabilities. ISS X-Force would like to thank Oracle Corporation for their response and handling of these vulnerabilities. ________ About ISS: ISS leads the market as the source for e-business risk management solutions, serving as a trusted security provider to thousands of organizations including 21 of the 25 largest U.S. commercial banks and more than 35 government agencies. With its Adaptive Security Management approach, ISS empowers organizations to measure and manage enterprise security risks within Intranet, extranet and electronic commerce environments. Its award-winning SAFEsuite(r) product line of intrusion detection, vulnerability management and decision support solutions are vital for protection in today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to security risks. Founded in 1994, ISS is headquartered in Atlanta, GA with additional offices throughout the U.S. and international operations in Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and the UK. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN8G9yTRfJiV99eG9AQEEeAP/R3hChjoTuv2nYw63EOvGgTahvY93dyBv SS4wC3t4dd3xQjx2x2MrKa1kafPIuZNXWan+HnkclUnpAxQdmOcXwwYIiuSqWX4m ik6gqRL47Q8UWLJxrcaxTwyY3qvWJBA0L0NZuyaqV4vbukDF3AwcISZtY3bR2JqW 338fgWrFBm8= =hE8b -----END PGP SIGNATURE-----