Oracle webserver insecurities

Summary
Description:Anyone who is given control of an oracle webserver account can trivially become root
Author:hurtta+zz@OZONE.FMI.FI
Compromise: root (local)
Vulnerable Systems:Those running Oracle Wbserver 2.1 or Oracle Webserver 1.0 (included to Oracle7 Server and Oracle7 Workgroup Server)
Date:19 September 1997
Details


Date: Fri, 19 Sep 1997 09:48:59 +0300
From: hurtta+zz@OZONE.FMI.FI
To: BUGTRAQ@NETSPACE.ORG
Subject: Instresting practises of Oracle [Oracle Webserver]

Hello,

Perhaps following is intresting.


Software:    Oracle Webserver 2.1
             Oracle Webserver 1.0 (included to Oracle7 Server and Oracle7 Workgroup Server)


Conclusion:  You should use same criteria for decide who got password for oracle account
             than you use to decide who got password for root account.


Backgroud:   1) Oracle Webserver comes as setuid root
             2) Configuration files and software tree is owned by
                oracle account.

Effects:     That allows oracle account to do control
             what is normally left to root account:


             1) oracle account can select under what account
                Oracle Webserver operates (by editing configuration
                file).

             2) Oracle Webserver 2.1 opens log file as root
                so oracle account can append to any file
                (by editing configuration file).


             Notice that even if 2) is bug, that is irrelevent
             because 1) supersedes that (and that looks planned
             feature.)

/ Kari Hurtta

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault