Vulners
Lucene search
Oracle Gridengine sgepasswd Buffer Overflow Vulnerability
=======
Summary
=======
Name: Oracle Gridengine sgepasswd Buffer Overflow
Release Date: 30 November 2012
Reference: NGS00107
Discoverer: Edward Torkington <[email protected]>
Vendor: Oracle
Vendor Reference:
Systems Affected: Multiple packages - version 6_2u7
Risk: High
Status: Published
========
TimeLine
========
Discovered: 1 August 2011
Released: 1 August 2011
Approved: 1 August 2011
Reported: 3 August 2011
Fixed: 17 April 2012
Published: 30 November 2012
===========
Description
===========
http://www.oracle.com/us/products/tools/oracle-grid-engine-075549.html
"Oracle Grid Engine software is a distributed resource management (DRM) system that manages the distribution of users' workloads to available compute resources. While compute resources in a typical datacenter have utilization rates that are on average 10%-25%, Oracle Grid Engine can help
a company increase utilization to 80%, 90% or even 95%. This significant improvement comes from the intelligent distribution of workload to the most appropriate available resources.
When users submit their work to Oracle Grid Engine as jobs, the software monitors the current state of all resources in the cluster and is able to assign these jobs to the best-suited resources. Oracle Grid Engine gives administrators both the flexibility to accurately model their computing
environments as resources and to translate business rules into policies that govern the use of those resources."
=================
Technical Details
=================
After installation an sgepasswd binary used as part of Oracle Gridengine is marked as a SUID binary:
[[email protected] lx24-x86]$ ls -al sgepasswd
-r-s--x--x 1 root root 1109010 Dec 20 2010 sgepasswd
This binary appears to be vulnerable to a number of buffer overflows. The easiest to exploit is in the delete a password for a named account (-d) function. Other exploits can corrupt the sgepasswd file which appears to be written in another directory. If it is corrupt sgepasswd will not run
anymore. A sample exploit is shown below:
[[email protected] lx24-x86]$ ./sgepasswd -d `perl -e 'print "\x90"x127 . "<exploit bytes obfuscated>"'`
sh-2.05b# id
uid=0(root) gid=0(root) groups=500(dave)
This would a allow a local low-privileged attacker to escalate their privileges.
===============
Fix Information
===============
This has been addresses as part of oracle April update:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
# 0day.today [2018-04-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Nov 2012 00:00Current
7.4High risk
Vulners AI Score7.4