[ SOURCE: http://www.secureroot.com/security/advisories/9786014237.html ] WWW.PLAZASITE.COM System & Security Division Title: Vulnerability in oidldapd in Oracle 8.1.7 Date: 11-12-2000 Platform: Only tested in Linux, but can be exported to others. Impact: Any user compromise any file in local machine. Author: Juan Manuel Pascual (pask@plazasite.com) Status: Vendor Contacted answers received. Details Below OVERVIEW: oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The actual version is 2.1.1.1 PROBLEM SUMMARY: There is a write permision checking error in oidldapd that can be used by local users to write any file in local machine. IMPACT: Any user with local access, can write any file. SOLUTION: Chmod -s ;-)))). STATUS: Vendor was contacted . ---------------- This vulnerability was researched by: Juan Manuel Pascual Escriba pask@plazasite.com -- " In God We trust, Others We monitor " ------------------------------------------------------------- Juan Manuel Pascual Escribá Administrador de Sistemas PlazaSite S.A. c/ Tomás Bretón 32-38 08950 Esplugues de Llobregat (Barcelona), SPAIN Ph: +34 93 3717398 Fax: +34 93 3711968 mob: 667591142 Email: pask@plazasite.com ------------------------------------------------------------- -------------------------------------------------------------------------------- This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at this. In my system occurs the next: my ORACLE_HOME=/work/oracle8ir3 oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog oracle@dimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 .. Ok .. nothing in logs ... lets go to execute oidldapd. oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd oracle@dimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 .. -rw-r--r-- 1 root orainstall 86 Dec 12 05:26 oidldapd00.log Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?