[Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)

From: Juan Manuel Pascual (jmpascual_at_open3s.com)
Date: 07/30/04

  • Next message: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 30 Jul 2004 11:28:39 +0200

    *----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------

    * Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc
               *All Versions*. (10g not tested)
    * Date:* 10-05-2004
    * Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others.
    * Impact:* Privilege elevation from oracle products installation owner
               (usually called oracle or ias ) to root.
    * Author:* Juan Manuel Pascual Escriba <mailto:jmpascual@open3s.com>
    * Status:* Vendor contacted details below.


    Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
    claiming to develop an unbreakable software. It's products are targeted in database,
    application server and data mining market.


    This software version
            - Oracle 8i Linux Platform
            - Oracle 9i Linux Platform
            - Oracle 8i HP-UX Platform
            - Oracle 9i Solaris Platform
            - Oracle IAS with patchset v9.0.2.3
            - All versions tested in Unix platform (Universal?)

    are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
    iasr2) to root.


    Oracle Libraries are installed owned by oracle in a default installation of the products
    commented above.

    [pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
    drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
    drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
    drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
    drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
    drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon

    As you can see, the lib directory owner is iasr2, let's look for some setuid binaries

    [pask@dimoniet ora9ias_mid]$ find ./ -perm +4000

    [iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
    -rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp
    [iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
    -rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo

    And now, just could see the shared objects that the binaries depends.

    [iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
            libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
            libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
            libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
            libthread.so.1 => /usr/lib/libthread.so.1
            libkstat.so.1 => /usr/lib/libkstat.so.1

    [iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo
            libnsl.so.1 => /usr/lib/libnsl.so.1
            libsocket.so.1 => /usr/lib/libsocket.so.1
            libgen.so.1 => /usr/lib/libgen.so.1

    ups, it's not posible to achieve root privileges with this binary and by this way

    For iasr2 user is too easy to create a so.lib, something like


    _init() {
       printf("en el _init()\n");
       printf("Con PID=%i y EUID=%i",getpid(),getuid());
       printf("Saliendo del Init()\n");

            oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
            oracle installation


            commented above.


            chown to root lib directory and parent directory.


            Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
            only trusted users should have access to the local iasdb user account".

            I have no information about a patch or a solution from Oracle Corp.

    This vulnerability was researched by:
    Juan Manuel Pascual Escriba jmpascual@open3s.com
    Barcelona - Denia - Spain http://www.open3s.com

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"