Bugtraq mailing list archives
Re: Oracle 8 root exploit
From: ant () NOTATLA DEMON CO UK (Antonomasia)
Date: Mon, 15 Nov 1999 20:45:07 GMT
Adam Levin <levins () WESTNET COM>:
On Sat, 13 Nov 1999, Tellier, Brock wrote:OVERVIEW A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user to obtain root privileges.
[by creation of files as root, mode 666] bt> When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by bt> default) will dump two log files out into pwd, dbsnmpc and dbsnmpt . If bt> these files do not exist, dbsnmpd will attempt to create them mode 666 bt> and dump around 400 bytes of uncontrolable output into them. If the bt> files do exist, dbsnmp will append these 400 bytes but not change the bt> permissions. Thus if root does not have an .rhosts file, we can obtain bt> root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts.
Confirmed for Oracle 8.0.5 on Solaris 2.6 SPARC. We don't allow rsh connections though (shut off in /etc/inetd.conf), so that's a workaround for some people to use.
I'm afraid Adam does not grasp the outline of this exploit. When a user can create or change files as root there are numerous ways to execute code as root. Avoiding the use of .rhosts file (no inetd) is a mere fraction of a solution. (Some rsh/rlogin daemons go-w .rhosts files anyway. Solaris 2.6 is where Brock found this - AIX would have denied it.) The next target may be a .forward file (g-w OK), a sourced startup script (works anywhere ?), an ftp server (777 OK) according to taste and filemode. The nearest example to hand of a startup file: if [ -f /etc/pcmcia.conf ] ; then . /etc/pcmcia.conf -- ############################################################## # Antonomasia ant () notatla demon co uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
Current thread:
- Oracle 8 root exploit Tellier, Brock (Nov 13)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 15)
- Re: Oracle 8 root exploit Jared Still (Nov 16)
- <Possible follow-ups>
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
- Re: Oracle 8 root exploit Alan Olsen (Nov 19)
- [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
- [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
- IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
- DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
- Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
- Re: Oracle 8 root exploit Steve D'Angona (Nov 18)
(Thread continues...)