Home page logo

bugtraq logo Bugtraq mailing list archives

OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)
From: Juan Manuel Pascual <jmpascual () open3s com>
Date: Mon, 02 Aug 2004 18:02:15 +0200

*----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------

* Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc *All Versions*. (10g not tested)
* Date:*     10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others. * Impact:* Privilege elevation from oracle products installation owner (usually called oracle or ias ) to root.
* Author:*   Juan Manuel Pascual Escriba <mailto:jmpascual () open3s com>
* Status:* Vendor contacted details below.


Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer, claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.


This software version
        - Oracle 8i Linux Platform
        - Oracle 9i Linux Platform
        - Oracle 8i HP-UX Platform
        - Oracle 9i Solaris Platform
        - Oracle IAS with patchset v9.0.2.3
        - All versions tested in Unix platform (Universal?¿)

are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.


Oracle Libraries are installed owned by oracle in a default installation of the products commented above.

[pask () dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 lbs
drwxr-xr-x  15 iasr2    dba          512 Jan  7 12:13 ldap
drwxr-xr-x   3 iasr2    dba        12800 Nov 21 11:22 lib
drwxr-xr-x  13 iasr2    dba          512 Nov 21 14:04 network
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 ocommon

As you can see, the lib directory owner is iasr2, let's look for some setuid binaries

[pask () dimoniet ora9ias_mid]$ find ./ -perm +4000

[iasr2 () dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s---   1 root     dba      2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2 () dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s---   1 root     dba        12632 Nov 21 14:04 ./bin/nmo

And now, just could see the shared objects that the binaries depends.

[iasr2 () dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
       libvppdc.so =>   /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
       libclntsh.so.9.0 =>      /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
       libwtc9.so =>    /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
       libthread.so.1 =>        /usr/lib/libthread.so.1
       libkstat.so.1 =>         /usr/lib/libkstat.so.1

[iasr2 () dimoniet ora9ias_mid]$  ldd ./bin/nmo
       libnsl.so.1 =>   /usr/lib/libnsl.so.1
       libsocket.so.1 =>        /usr/lib/libsocket.so.1
       libgen.so.1 =>   /usr/lib/libgen.so.1

ups, it's not posible to achieve root privileges with this binary and by this way

For iasr2 user is too easy to create a so.lib, something like

#include #include
_init() {
  printf("en el _init()\n");
  printf("Con PID=%i y EUID=%i",getpid(),getuid());
  printf("Saliendo del Init()\n");

oracle,ias,iasr2 or iasdb users with local access can gain root privileges through oracle installation


        commented above.


        chown to root lib directory and parent directory.


        Oracle Security Alerts explains in an email sent 26/07/2004 that  "Oracle believes that
        only trusted users should have access to the local iasdb user account".

        I have no information about a patch or a solution from Oracle Corp.

This vulnerability was researched by:
Juan Manuel Pascual Escriba            jmpascual () open3s com
Barcelona - Denia - Spain              http://www.open3s.com

  By Date           By Thread  

Current thread:
  • OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform) Juan Manuel Pascual (Aug 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]