Re: cpujan2006 client issues

  • From: Mark Brinsmead <mark.brinsmead@xxxxxxx>
  • To: stellr@xxxxxxxxxx
  • Date: Wed, 01 Feb 2006 18:27:41 -0700

Please see comments inline below:

Ray Stell wrote:

1. 343382.1 says, "One vulnerability (DBC02) is in a utility that can
be forced to terminate if given long arguments, potentially allowing
code of an attacker's choice to be executed. However, this utility is
not installed with setuid (elevated) privileges, so the risk that it
can be effectively exploited is very low."

This sounds like a pretty fair assessment. So long as the program does not run with
setuid privileges, the risk is only modest. In order to exploit the bug, one would have
to "trick" a user (or program) with "elevated" privileges to invoke the affected executable
on their behalf, supplying very carefully crafted arguments.

Is this a risk? Sure. But not a big one. If I can fool somebody with "root" or "oracle"
privileges to run /bin/sh (or vi, or emacs, or find, or ...) with arbitrary parameters that
I supply, I will pretty much "own" that system. Given that there are hundreds (or
thousands) of programs whose "normal" (and bug-free) operation provides this kind
of "exposure", I don't think I'll lose much sleep over some "bug" that provides a
similar exposure.

Still, if it doesn't take extraordinary effort to correct (e.g., patching the Oracle client
software on 10,000 end-user workstations), the extra precaution is probably worthwhile.

Do we know if a patched server vulnerable to this client issue?

Probably. In general, the "database server" is a (large) superset of the database client,
isn't it?

Isn't is a bit absurd to think the risk is low because of
the default install characteristics? What, black hats
don't know how to use the chmod cmd?

Sure they do.  So what?

If a "blackhat" is able to 'chmod' ANY executable to make it setuid to "oracle" or
"root" (or anything other than him/her self) it's pretty much all over, isn't it? "chmod"
(setuid) is a privileged operation. If the blackhat can do that, you're already hacked.

I suppose, though, that this *could* be a (not so) subtle way to install a backdoor on
a system that has already be broken, though...

2. 343384.1 says, "Please do not open an issue with Support for additional
information on the vulnerabilities.

So, how do I get an answer to the above questions?

How did I do?

3. I asked these questions on the metalink unix installation forum yesterday.
Today, my note is gone. "I'm speechless, I am without speech."

Interesting... I wonder if somebody hacked the Metalink Forums database... ;-)

I understand your annoyance, though. I understand the ban on opening TARs (I guess)
but shutting down user discussion on the forums is another thing entirely...


Other related posts: