Local Vulnerability in dbsnmp binary in Oracle 8.1.6 - 8.1.7 - 9i

                  WWW.PLAZASITE.COM

              Systems & Security Division

Title: Local Vulnerability in dbsnmp binary

Date: 13-07-2001

Platform: Only tested in Linux but can be exported to others.

Impact: Users belonging to oracle group can obtain euid=0

Author: Juan Manuel Pascual Escriba <pask_at_plazasite.com>

Status: Vendor contacted

PROBLEM SUMMARY:     Buffer overflow exists if ORACLE_HOME enviroment variable is defined with a size greater than 749 bytes

[oracle_at_proves1 iAS]$ ls -alc

/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp -rwsr-s--- 1 root oinstall 667874 jul 18 15:38 /usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

[oracle_at_proves1 8.1.6]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle_at_proves1 8.1.6]$

/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp couldn't read file "/config/nmiconf.tcl": no such file or directory Failed to initialize nl component,error=462 Failed to initialize nl component,error=462

[oracle_at_proves1 8.1.6]$[oracle_at_proves1 8.1.6]$ export ORACLE_HOME=`perl
-e 'print "A"x750'`
[oracle_at_proves1 8.1.6]$ dbsnmp

couldn't read file "/config/nmiconf.tcl": no such file or directory Segmentation fault

This overflow exists in newer products like Oracle 9i and maybe in older too.

[oracle_at_proves1 iAS]$ ls -alc

/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp -rwsr-s--- 1 root oinstall 971665 abr 11 17:41 /usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

[oracle_at_proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle_at_proves1 iAS]$

/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp couldn't read file "/config/nmiconf.tcl": no such file or directory Failed to initialize nl component,error=462

[oracle_at_proves1 iAS]$ Failed to initialize nl component,error=462
[oracle_at_proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x750'`
[oracle_at_proves1 iAS]$

/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp Segmentation fault

IMPACT:
    Any user belonging to oracle group can obtain euid=0.

SOLUTION:
    Chmod -s or if is posible (setresuid(getuid(),getuid(),getuid()) ...

    I dont understand why is necesary root privileges to open ports > 1023 ?

SPECIAL THANKS: Francisco Fernandez <ffernandez_at_pandasoftware.com> Ivan Sanchez
<isanchez_at_plazasite.com>

Mundo Alonso-Cuevillas                       <mundo_at_plazasite.com>




--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask_at_plazasite.com

--


                " In God We trust, Others We monitor "

        -------------------------------------------------------------
         Juan Manuel Pascual Escribá        Administrador de Sistemas
         PlazaSite S.A.                         c/ Tomás Bretón 32-38
         08950 Esplugues de Llobregat           (Barcelona),    SPAIN
         Ph: +34 93 3717398                       Fax: +34 93 3711968
         mob: 667591142                     Email: pask_at_plazasite.com
        -------------------------------------------------------------