In Oracle installations, where the “nmr” binary is present and SUID-ed as “root”, due to insecure directory permissions, the “oracle” user can elevate his/her privileges to that of the “root” user by replacing the “nmr_macro_list” file.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Access on the local system as the "oracle" user (e.g. executing arbitrary Java code via a compromised Oracle Database)
More details and the exploitation process can be found in this PDF.