Advisories : Vulnerability in oidldapd in Oracle 8.1.7

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Vulnerability in oidldapd in Oracle 8.1.7

Title:	Vulnerability in oidldapd in Oracle 8.1.7
Released by:	Plazasite.com
Date:	11th December 2000
Printable version:	Click here



                      WWW.PLAZASITE.COM

                  System & Security Division



   Title:     Vulnerability in oidldapd in Oracle 8.1.7

    Date:     11-12-2000

Platform:     Only tested in Linux, but can be exported to others.

  Impact:     Any user compromise any file in local machine.

  Author:     Juan Manuel Pascual (pask@plazasite.com)

  Status:     Vendor Contacted answers received. Details Below



OVERVIEW:

    oidldapd is a Oracle Internet Directory. Oracle Ldap Daemon. The

actual version is 2.1.1.1



PROBLEM SUMMARY:

    There is a write permision checking error in oidldapd that can be

used by local

users to write any file in local machine.



IMPACT:

    Any user with local access, can write any file.



SOLUTION:

    Chmod -s ;-)))).



STATUS:

    Vendor was contacted .



----------------

This vulnerability was researched by:

Juan Manuel Pascual Escriba            pask@plazasite.com



--





                " In God We trust, Others We monitor "



        -------------------------------------------------------------

         Juan Manuel Pascual Escribá        Administrador de Sistemas

         PlazaSite S.A.                         c/ Tomás Bretón 32-38

         08950 Esplugues de Llobregat           (Barcelona),    SPAIN

         Ph: +34 93 3717398                       Fax: +34 93 3711968

         mob: 667591142                     Email: pask@plazasite.com

        -------------------------------------------------------------

























































--------------------------------------------------------------------------------





This Feature seems to be new with oidldapd in OID 2.1.1.1/8.1.7 i couldnt

reproduce with oidldapd in OID 2.0.6.3 and seems to be very dangerous. Look at

this. In my system occurs the next:



my ORACLE_HOME=/work/oracle8ir3



oracle@dimoniet bin]$ cd /work/oracle8ir3/ldaplog

oracle@dimoniet log]$ ls -alc

total 12

drwxr-xrwx    2    oracle    orainstall    4096    Dec    12    05:03 .

drwxr-xrwx   13    oracle   orainstall    4096    Dec    10    18:50 ..



Ok .. nothing in logs ... lets go to execute oidldapd.



oracle@dimoniet log]$ /work/oracle8ir3/bin/oidldapd

oracle@dimoniet log]$ ls -alc

total 12

drwxr-xrwx    2    oracle   orainstall    4096    Dec    12    05:03 .

drwxr-xrwx   13   oracle   orainstall    4096    Dec    10    18:50 ..

-rw-r--r--      1       root    orainstall        86   Dec     12    05:26

oidldapd00.log





Ups ... owned by root ? ... no comment about .. what about ln -s /vmlinuz ./oidldapd00.log ? or shared libraries ?