Re: cpujan2006 client issues
- From: Mark Brinsmead <mark.brinsmead@xxxxxxx>
- To: stellr@xxxxxxxxxx
- Date: Wed, 01 Feb 2006 18:27:41 -0700
Please see comments inline below:
Ray Stell wrote:
1. 343382.1 says, "One vulnerability (DBC02) is in a utility that can
be forced to terminate if given long arguments, potentially allowing
code of an attacker's choice to be executed. However, this utility is
not installed with setuid (elevated) privileges, so the risk that it
can be effectively exploited is very low."
This sounds like a pretty fair assessment. So long as the program does
not run with
setuid privileges, the risk is only modest. In order to exploit the
bug, one would have
to "trick" a user (or program) with "elevated" privileges to invoke the
on their behalf, supplying very carefully crafted arguments.
Is this a risk? Sure. But not a big one. If I can fool somebody with
"root" or "oracle"
privileges to run /bin/sh (or vi, or emacs, or find, or ...) with
arbitrary parameters that
I supply, I will pretty much "own" that system. Given that there are
thousands) of programs whose "normal" (and bug-free) operation provides
of "exposure", I don't think I'll lose much sleep over some "bug" that
Still, if it doesn't take extraordinary effort to correct (e.g.,
patching the Oracle client
software on 10,000 end-user workstations), the extra precaution is
Probably. In general, the "database server" is a (large) superset of
the database client,
Do we know if a patched server vulnerable to this client issue?
Isn't is a bit absurd to think the risk is low because of
the default install characteristics? What, black hats
don't know how to use the chmod cmd?
Sure they do. So what?
If a "blackhat" is able to 'chmod' ANY executable to make it setuid to
"root" (or anything other than him/her self) it's pretty much all over,
isn't it? "chmod"
(setuid) is a privileged operation. If the blackhat can do that, you're
I suppose, though, that this *could* be a (not so) subtle way to install
a backdoor on
a system that has already be broken, though...
2. 343384.1 says, "Please do not open an issue with Support for additional
information on the vulnerabilities.
So, how do I get an answer to the above questions?
How did I do?
3. I asked these questions on the metalink unix installation forum yesterday.Interesting... I wonder if somebody hacked the Metalink Forums
Today, my note is gone. "I'm speechless, I am without speech."
I understand your annoyance, though. I understand the ban on opening
TARs (I guess)
but shutting down user discussion on the forums is another thing entirely...
Other related posts: