Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Oracle 8.0.6

From: "Aaron C. Newman" <aaron () newman-family com>
Date: Fri, 30 Nov 2001 13:18:18 -0500
Andrew,

Oracle runs under the security context of a UNIX account probably called
oracle. Using just the oracle privileges you will not be able to root the
box.

What you can try is the following:
using utl_file, create a .rhost file, or edit someother file to allow you to
log into the system as oracle.

After connecting to the operating system, there are a few executable files
that Oracle wants you run as setuid root. They are oratclsh and dbsnmp. The
oratclsh file is a tcl script interpreter. If this file hasn't been
disabled, you should be able to create a tcl script which will run with root
privileges.

The dbsnmp is a little harder to harder to exploit. There are about half a
dozen buffer overflows in this file - most of them stemming from modifying
the ORACLE_HOME - just happens three new ones where release today - check
out http://www.oraclesecurity.net/cgi-bin/ubb/ultimatebb.cgi?ubb=forum&f=8
or search security focus for the words dbsnmp and oracle.


Regards,
Aaron C. Newman
CTO/Founder
Application Security, Inc.
phone: 212-490-6022
-Protection Where It Counts-


-----Original Message-----
From: pen-test-return-1411-aaron=newman-family.com () securityfocus com
[mailto:pen-test-return-1411-aaron=newman-family.com () securityfocus com]O
n Behalf Of Andy Rees
Sent: 30 November 2001 11:29
To: pen-test () securityfocus com
Subject: Oracle 8.0.6


Dear All,

I was wondering if anybody has any ideas about this
one.

I am undertaking a security audit and have managed to
get the Oracle SYSTEM account password for an Oracle
8.0.6 server running on Solaris 2.7. This has allowed
me to login to the server via SQLPLUS. The server in
question has 'utl_file_dir = *' set in the initSID.ora
file. (It is only a test server ....).

Whilst I can write Oracle scripts that allow me to
read and write system files (solaris file permissions
allowing) but I cannot find a way of compromising the
actual host OS from this position, I can read the
/etc/passwd file but I cannot write to it and I cannot
even read the /etc/shadow (as you would expect)

Any ideas any of you guys have would be most
appreciated.

Thanks in advance

Andrew

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page from News and Sport to Email and
Music Charts
http://uk.my.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: