OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
From: Juan Manuel Pascual Escriba (paskPLAZASITE.COM)
Date: Fri Dec 22 2000 - 03:38:20 CST

                      WWW.PLAZASITE.COM
                  System & Security Division

   Title: Vulnerability in oidldapd in Oracle 8.1.7
    Date: 11-12-2000
Platform: Only tested in Linux, but can be exported to others.
  Impact: Any user compromise any file in local machine.
  Author: Juan Manuel Pascual (paskplazasite.com)
  Status: Vendor Contacted answers received. Details Below

OVERVIEW:
    oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The
actual version is 2.1.1.1

PROBLEM SUMMARY:
    There is a write permision checking error in oidldapd that can be
used by local
users to write any file in local machine.

IMPACT:
    Any user with local access, can write any file.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba paskplazasite.com 

--

                " In God We trust, Others We monitor "

        -------------------------------------------------------------
         Juan Manuel Pascual Escribá        Administrador de Sistemas
         PlazaSite S.A.                         c/ Tomás Bretón 32-38
         08950 Esplugues de Llobregat           (Barcelona),    SPAIN
         Ph: +34 93 3717398                       Fax: +34 93 3711968
         mob: 667591142                     Email: paskplazasite.com
        -------------------------------------------------------------

This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at this. In my system occurs the next:

my ORACLE_HOME=/work/oracle8ir3

oracledimoniet bin]$ cd /work/oracle8ir3/ldaplog oracledimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 ..

Ok .. nothing in logs ... lets go to execute oidldapd.

oracledimoniet log]$ /work/oracle8ir3/bin/oidldapd oracledimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 .. -rw-r--r-- 1 root orainstall 86 Dec 12 05:26 oidldapd00.log

Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?