Bugtraq mailing list archives
vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
From: Juan Manuel Pascual Escriba <pask () PLAZASITE COM>
Date: Fri, 22 Dec 2000 10:38:20 +0100
WWW.PLAZASITE.COM System & Security Division Title: Vulnerability in oidldapd in Oracle 8.1.7 Date: 11-12-2000 Platform: Only tested in Linux, but can be exported to others. Impact: Any user compromise any file in local machine. Author: Juan Manuel Pascual (pask () plazasite com) Status: Vendor Contacted answers received. Details Below OVERVIEW: oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The actual version is 2.1.1.1 PROBLEM SUMMARY: There is a write permision checking error in oidldapd that can be used by local users to write any file in local machine. IMPACT: Any user with local access, can write any file. SOLUTION: Chmod -s ;-)))). STATUS: Vendor was contacted . ---------------- This vulnerability was researched by: Juan Manuel Pascual Escriba pask () plazasite com -- " In God We trust, Others We monitor " ------------------------------------------------------------- Juan Manuel Pascual Escribá Administrador de Sistemas PlazaSite S.A. c/ Tomás Bretón 32-38 08950 Esplugues de Llobregat (Barcelona), SPAIN Ph: +34 93 3717398 Fax: +34 93 3711968 mob: 667591142 Email: pask () plazasite com -------------------------------------------------------------
This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at this. In my system occurs the next: my ORACLE_HOME=/work/oracle8ir3 oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog oracle@dimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 .. Ok .. nothing in logs ... lets go to execute oidldapd. oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd oracle@dimoniet log]$ ls -alc total 12 drwxr-xrwx 2 oracle orainstall 4096 Dec 12 05:03 . drwxr-xrwx 13 oracle orainstall 4096 Dec 10 18:50 .. -rw-r--r-- 1 root orainstall 86 Dec 12 05:26 oidldapd00.log Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?
Current thread:
- vulnerability #2 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7 Juan Manuel Pascual Escriba (Dec 22)