CVE-2001-0942

Vulnerability

The dbsnmp executable included with Oracle 8.1.6 and 8.1.7 on UNIX/Linux systems uses the ORACLE_HOME environment variable to locate and execute itself. Because dbsnmp is installed with the setuid bit enabled and is owned by the Oracle operating system account, a local attacker can set ORACLE_HOME to an attacker-controlled directory containing a malicious copy of dbsnmp. When the system invokes dbsnmp, it runs the attacker's binary with the elevated privileges of the Oracle account [1].

Exploitation

A local user with the ability to modify the ORACLE_HOME environment variable and write files to a directory of their choosing can create a directory containing a malicious executable named dbsnmp. By pointing ORACLE_HOME to that directory, any invocation of dbsnmp — whether by the system or another user — will execute the attacker's code instead of the legitimate Oracle binary. No authentication or interaction beyond setting the environment variable is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the Oracle operating system account. This typically results in full control over the Oracle software installation and the ability to read, modify, or delete any data accessible to that account. The confidentiality, integrity, and availability of the Oracle database and related resources are compromised [1].

Mitigation

Oracle has released a patch, available from Oracle Metalink (http://metalink.oracle.com), that addresses this vulnerability. As a workaround, administrators can remove the setuid bit from the dbsnmp file by running chmod -s dbsnmp. Additionally, restricting access to Oracle operating system files to only database administrators reduces the attack surface. If the Intelligent Agent is not in use, removing the setuid bit is strongly recommended [1].