• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Oracle Internet Directory 2.0.6 oidldap Vulnerability

Oracle Internet Directory 2.0.6 is a pre-alpha development release, available as both an addon package and in the Oracle Database Software release 8.1.6. A vulnerability has been found in the oidldap binary within the package.

A buffer overflow exists in the oidldap binary, which is setuid oracle. When executed on the command line, the oidldap binary performs an unsafe check of the ORACLE_HOME environment variable. It is possible for a malicous user to execute shell code through the ORACLE_HOME environment variable, allowing the user to inherit an euid of oracle. In a stock installation of Oracle 8.1.6, this could create a scenario which would allow a local user to compromise the integrity of a database.