CVE-2001-0943

Vulnerability

The dbsnmp executable in Oracle 8.0.5 and 8.1.5 on Unix/Linux systems invokes the chown and chgrp commands without fully qualifying their paths. Instead, it relies on the PATH environment variable to locate these binaries. This design flaw allows an attacker to substitute a malicious executable. The vulnerability only affects Oracle 8.0.5 and 8.1.5; versions 8.1.6 and higher are not vulnerable [1].

Exploitation

An attacker must have local access to the system and the ability to modify the PATH environment variable before dbsnmp is executed. The attacker creates a Trojan horse program named chown or chgrp in a directory they control, then prepends that directory to PATH. When dbsnmp runs (e.g., as part of the Oracle Intelligent Agent), it executes the attacker's binary instead of the system utility. No authentication beyond local user access is required [1].

Impact

If dbsnmp is setuid root (which is the default configuration), the attacker's malicious binary runs with root privileges. This results in full root compromise of the system. The attacker can execute arbitrary code with superuser privileges, leading to complete loss of confidentiality, integrity, and availability [1].

Mitigation

Oracle has not released a patch for this vulnerability. The recommended mitigations are to remove the setuid bit from dbsnmp by running chmod -s dbsnmp, or to upgrade to Oracle release 8.1.6 or higher, which does not contain the vulnerable code. Additionally, restricting access to Oracle operating system files to only database administrators reduces the attack surface [1].