header-logo
Suggest Exploit
vendor:
Oracle 8.1.5i
by:
SecurityFocus
7.5
CVSS
HIGH
Symlink Attack
59
CWE
Product Name: Oracle 8.1.5i
Affected Version From: Oracle 8.1.5i
Affected Version To: Oracle 8.1.5i
Patch Exists: NO
Related CWE: N/A
CPE: oracle:oracle_8.1.5i
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux/Intel
2002

Oracle 8.1.5i Installation Program Vulnerability

A vulnerability exists in the installation program for Oracle 8.1.5i. The Oracle installation scripts will create a directory named /tmp/orainstall, owned by oracle:dba, mode 711. Inside of this directory it will create a shell script named orainstRoot.sh, mode 777. The installation script will then stop and ask the person installing to run this script. The installation program at no point attempts to determine if the directory or script already exist. This makes it possible to create a symbolic link from the orainstRoot.sh file to elsewhere on the file system. This could be used to create a .rhosts file, for instance, and gain access to the root account. In addition, since the orainstRoot.sh file is mode 777, it is possible for any user on the machine to edit this script to execute arbitrary commands when run by root. Again, this can result in the compromise of the root account.

Mitigation:

Ensure that the Oracle installation scripts are not vulnerable to symlink attacks. This can be done by ensuring that the /tmp/orainstall directory and orainstRoot.sh file do not exist prior to running the Oracle installation program.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1035/info

A vulnerability exists in the installation program for Oracle 8.1.5i. The Oracle installation scripts will create a directory named /tmp/orainstall, owned by oracle:dba, mode 711. Inside of this directory it will create a shell script named orainstRoot.sh, mode 777. The installation script will then stop and ask the person installing to run this script. The installation program at no point attempts to determine if the directory or script already exist. This makes it possible to create a symbolic link from the orainstRoot.sh file to elsewhere on the file system. This could be used to create a .rhosts file, for instance, and gain access to the root account. In addition, since the orainstRoot.sh file is mode 777, it is possible for any user on the machine to edit this script to execute arbitrary commands when run by root. Again, this can result in the compromise of the root account.

It is not readily apparent what versions of Oracle this does and does not affect. It has been confirmed on Oracle 8.1.5i, on the Linux/Intel platform. 

mkdir /tmp/orainstall
ln -sf /.rhosts /tmp/orainstall/orainstRoot.sh

Navigation

Suggest Exploit

Services By CQR