OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
From: Juan Manuel Pascual Escriba (paskPLAZASITE.COM)
Date: Fri Dec 22 2000 - 03:38:20 CST


                      WWW.PLAZASITE.COM
                  System & Security Division

   Title: Vulnerability in oidldapd in Oracle 8.1.7
    Date: 11-12-2000
Platform: Only tested in Linux, but can be exported to others.
  Impact: Any user compromise any file in local machine.
  Author: Juan Manuel Pascual (paskplazasite.com)
  Status: Vendor Contacted answers received. Details Below

OVERVIEW:
    oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The
actual version is 2.1.1.1

PROBLEM SUMMARY:
    There is a write permision checking error in oidldapd that can be
used by local
users to write any file in local machine.

IMPACT:
    Any user with local access, can write any file.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba paskplazasite.com

--

" In God We trust, Others We monitor "

------------------------------------------------------------- Juan Manuel Pascual Escribá Administrador de Sistemas PlazaSite S.A. c/ Tomás Bretón 32-38 08950 Esplugues de Llobregat (Barcelona), SPAIN Ph: +34 93 3717398 Fax: +34 93 3711968 mob: 667591142 Email: paskplazasite.com -------------------------------------------------------------

This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at this. In my system occurs the next:

my ORACLE_HOME=/work/oracle8ir3

oracledimoniet bin]$ cd /work/oracle8ir3/ldaplog oracledimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 ..

Ok .. nothing in logs ... lets go to execute oidldapd.

oracledimoniet log]$ /work/oracle8ir3/bin/oidldapd oracledimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 .. -rw-r--r-- 1 root orainstall 86 Dec 12 05:26 oidldapd00.log

Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?