Re: Oracle 8 root exploit

[ant () NOTATLA DEMON CO UK (Antonomasia)]

Adam Levin <levins () WESTNET COM>:

> On Sat, 13 Nov 1999, Tellier, Brock wrote:
> > OVERVIEW
> > A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
> > to obtain root privileges.
         [by creation of files as root, mode 666]

bt> When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by
bt> default) will dump two log files out into pwd, dbsnmpc and dbsnmpt .  If
bt> these files do not exist, dbsnmpd will attempt to create them mode 666
bt> and dump around 400 bytes of uncontrolable output into them.  If the
bt> files do exist, dbsnmp will append these 400 bytes but not change the
bt> permissions.  Thus if root does not have an .rhosts file, we can obtain
bt> root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts.

> Confirmed for Oracle 8.0.5 on Solaris 2.6 SPARC.  We don't allow rsh
> connections though (shut off in /etc/inetd.conf), so that's a workaround
> for some people to use.

I'm afraid Adam does not grasp the outline of this exploit.  When a user can
create or change files as root there are numerous ways to execute code as
root.  Avoiding the use of .rhosts file (no inetd) is a mere fraction of a
solution.  (Some rsh/rlogin daemons go-w .rhosts files anyway.  Solaris 2.6
is where Brock found this - AIX would have denied it.)  The next target may
be a .forward file (g-w OK), a sourced startup script (works anywhere ?),
an ftp server (777 OK) according to taste and filemode.

The nearest example to hand of a startup file:
if [ -f /etc/pcmcia.conf ] ; then
    . /etc/pcmcia.conf


--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################