From xforce@iss.net Tue Aug 24 06:04:31 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Cc: X-Force Date: Mon, 23 Aug 1999 17:35:31 -0400 (EDT) Subject: ISSalert: ISS Security Advisory: Additional Root Compromise Vulnerabilities in Oracle 8 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory August 23, 1999 Additional Root Compromise Vulnerabilities in Oracle 8 Synopsis: Internet Security Systems (ISS) X-Force has discovered additional local vulnerabilities in the Oracle Intelligent Agent that may lead to root compromise. Local attackers may use these vulnerabilities to execute arbitrary commands as root, as well as create root-owned world-writable files anywhere on the file system. Description: This advisory describes additional Oracle Intelligent Agent vulnerabilities that were not described in the ISS X-Force advisory titled, "Root Compromise Vulnerabilities in Oracle 8." This advisory describes two vulnerabilities that stem from trusted environment variables, as well as from implicit trust of rogue Oracle configuration files. The Intelligent Agent binary, 'dbsnmp' is a setuid root executable. The Intelligent Agent is a host-based agent that can be used to monitor, configure, and maintain remote database instances with the Oracle Enterprise manager. The Intelligent Agent is part of the Oracle distribution Fix Information: If remote database administration with the Intelligent Agent is not required, the setuid bit on the 'dbsnmp' binary should be removed. As root, execute the following command: # chmod 755 $ORACLE_HOME/bin/dbsnmp Fix Information: ISS X-Force has worked with Oracle to provide a patch for the vulnerabilities described in this advisory. This patch is available to the public on technet.oracle.com. The direct URL is http://technet.oracle.com/misc/agent/section.htm. Oracle has provided the following information to answer any questions concerning these vulnerabilities. The FAQ is available in HTML format at http://technet.oracle.com/misc/agent/faq.htm. 1. Do I need to upgrade my databases to 8.0.5 or 8.0.6 in order to pick up this fix? No! The Agent may be upgraded on its own, without affecting the version of the databases it manages. To do this, install the Agent and the appropriate patch in a separate Oracle Home. This Agent will be able to manage all targets on its node, irrespective of their versions. 2. What can I do until the fix is available on my platform? While waiting for the fix to be available on your platform, you may use the following workaround: Create a Unix user with normal permissions under which the Agent runs Enterprise Manager jobs. Note: This means all jobs submitted through the Enterprise Manager Console will now run as the 'normal user' instead of the user specified as preferred credentials within the Console. Additionally, the 'normal user' will only have access to the \ORACLE_HOME\Agent directory, unless otherwise specified by the system administrator. Finally, the Agent will only start as the 'normal user.' Steps to apply the workaround: On the system on which the Agent resides, choose/create a Unix user with normal permissions on the system. This user must not be: (A) The user who installed the Oracle RDBMS Server and other Oracle products on the system OR (B) A user with root privileges. The user must belong to a normal group and not "dba". For example: 1 Create a user "agent" belonging to group "agentgrp". 2. Install an Agent in a new Oracle Home as user "agent". Note: DO NOT run the root.sh script under this Oracle Home as part of this installation process. 3. Shutdown the old Agent. 4. Copy files from the Oracle Home of the old Agent to the Oracle Home of the newly installed Agent as follows: cp $ORACLE_HOME(old)/network/agent/* $ORACLE_HOME(new)/network/agent Important: Make sure that the user "agent" owns all files under the $ORACLE_HOME(new)/network/agent directory. Using a terminal window that has the environment of user "agent", start the Agent with: lsnrctl dbsnmp_start For further security, job system access can be prevented if you are using Enterprise Manager version 2.0. To do so, log into the Enterprise Manager Console as a Super Administrator. Using the System -> Manage Administrators option, edit the General Preferences, deactivating 'Access to Job System' for each Administrator you wish to prevent from using the job system. If you are not comfortable with this workaround, you can suspend use of the Agent until the fix is available on your platform. ISS X-Force recommends that all administrators also complete a proactive survey of their Oracle installations to determine which databases require the Intelligent Agent. Additional Information: Dan Ingevaldson of the ISS X-Force primarily researched these vulnerabilities. ISS X-Force would like to thank Oracle Corporation for their response and handling of these vulnerabilities. ________ About ISS: ISS leads the market as the source for e-business risk management solutions, serving as a trusted security provider to thousands of organizations including 21 of the 25 largest U.S. commercial banks and more than 35 government agencies. With its Adaptive Security Management approach, ISS empowers organizations to measure and manage enterprise security risks within Intranet, extranet and electronic commerce environments. Its award-winning SAFEsuite(r) product line of intrusion detection, vulnerability management and decision support solutions are vital for protection in today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to security risks. Founded in 1994, ISS is headquartered in Atlanta, GA with additional offices throughout the U.S. and international operations in Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and the UK. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN8G90zRfJiV99eG9AQE6CwP/SYY0jBqr7KT0STNjT8Kw6dCM6DTboYjj cCTxEc5Lvp7xER2N80RxbUUBdjY+7mftSWlZi9Fi8GAWrIe0Zvmon6zXx9WFbXrh N0ofLlrE1hKppYj4WTmAahDsp46fyA8EL9R+OjnFz+EHYTYQ0LOmtPugUXbzLKo1 WzFZUZLwwTc= =oRM1 -----END PGP SIGNATURE-----