De: "Juan Manuel Pascual Escriba" <pask@plazasite.com>
À: <bugtraq@securityfocus.com>
Objet: Local Vulnerability in dbsnmp binary in Oracle 8.1.6 - 8.1.7 - 9i
Date : jeudi 2 août 2001 19:11


                  WWW.PLAZASITE.COM

              Systems & Security Division


Title:    Local Vulnerability in dbsnmp binary

Date:     13-07-2001

Platform: Only tested in Linux but can be exported to others.

Impact:   Users belonging to oracle group can obtain euid=0

Author:   Juan Manuel Pascual Escriba <pask@plazasite.com>

Status:   Vendor contacted at 18th July 2001


PROBLEM SUMMARY:

Buffer overflow exists if ORACLE_HOME enviroment variable if is defined
with a size greater than 749 bytes


[oracle@proves1 iAS]$ ls -alc
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp
-rwsr-s---    1 root     oinstall   667874 jul 18 15:38
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle@proves1 8.1.6]$
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462
Failed to initialize nl component,error=462

[oracle@proves1 8.1.6]$[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl
-e 'print "A"x750'`
[oracle@proves1 8.1.6]$ dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Segmentation fault


This overflow exists in newer products like Oracle 9i and maybe in older
too.


[oracle@proves1 iAS]$ ls -alc
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
-rwsr-s---    1 root     oinstall   971665 abr 11 17:41
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

[oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle@proves1 iAS]$
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462

[oracle@proves1 iAS]$ Failed to initialize nl component,error=462
[oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x750'`
[oracle@proves1 iAS]$
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
Segmentation fault


IMPACT:
    Any user belonging to oracle group can obtain euid=0.

SOLUTION:
    Chmod -s or if is posible (setresuid(getuid(),getuid(),getuid()) ...

    Wait for a patch.(??)


SPECIAL THANKS:

Francisco Fernandez             <ffernandez@pandasoftware.com>
Ivan Sanchez
<isanchez@plazasite.com>
Mundo Alonso-Cuevillas                       <mundo@plazasite.com>


--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba                       pask@plazasite.com


 