Andrew, Oracle runs under the security context of a UNIX account probably called oracle. Using just the oracle privileges you will not be able to root the box. What you can try is the following: using utl_file, create a .rhost file, or edit someother file to allow you to log into the system as oracle. After connecting to the operating system, there are a few executable files that Oracle wants you run as setuid root. They are oratclsh and dbsnmp. The oratclsh file is a tcl script interpreter. If this file hasn't been disabled, you should be able to create a tcl script which will run with root privileges. The dbsnmp is a little harder to harder to exploit. There are about half a dozen buffer overflows in this file - most of them stemming from modifying the ORACLE_HOME - just happens three new ones where release today - check out http://www.oraclesecurity.net/cgi-bin/ubb/ultimatebb.cgi?ubb=forum&f=8 or search security focus for the words dbsnmp and oracle. Regards, Aaron C. Newman CTO/Founder Application Security, Inc. phone: 212-490-6022 -Protection Where It Counts- -----Original Message----- From: pen-test-return-1411-aaron=newman-family.comat_private [mailto:pen-test-return-1411-aaron=newman-family.comat_private]O n Behalf Of Andy Rees Sent: 30 November 2001 11:29 To: pen-testat_private Subject: Oracle 8.0.6 Dear All, I was wondering if anybody has any ideas about this one. I am undertaking a security audit and have managed to get the Oracle SYSTEM account password for an Oracle 8.0.6 server running on Solaris 2.7. This has allowed me to login to the server via SQLPLUS. The server in question has 'utl_file_dir = *' set in the initSID.ora file. (It is only a test server ....). Whilst I can write Oracle scripts that allow me to read and write system files (solaris file permissions allowing) but I cannot find a way of compromising the actual host OS from this position, I can read the /etc/passwd file but I cannot write to it and I cannot even read the /etc/shadow (as you would expect) Any ideas any of you guys have would be most appreciated. Thanks in advance Andrew __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 13:20:19 PST