what you don't know can hurt you

Oracle Gridengine sgepasswd Buffer Overflow

Oracle Gridengine sgepasswd Buffer Overflow
Posted Nov 30, 2012
Authored by Edward Torkington | Site ngssoftware.com

Oracle Gridengine's sgepasswd suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | dc278ebed50251a0deb5698d833767cc

Oracle Gridengine sgepasswd Buffer Overflow

Change Mirror Download
=======
Summary
=======
Name: Oracle Gridengine sgepasswd Buffer Overflow
Release Date: 30 November 2012
Reference: NGS00107
Discoverer: Edward Torkington <edward.torkington@ngssecure.com>
Vendor: Oracle
Vendor Reference:
Systems Affected: Multiple packages - version 6_2u7
Risk: High
Status: Published

========
TimeLine
========
Discovered: 1 August 2011
Released: 1 August 2011
Approved: 1 August 2011
Reported: 3 August 2011
Fixed: 17 April 2012
Published: 30 November 2012

===========
Description
===========
http://www.oracle.com/us/products/tools/oracle-grid-engine-075549.html

"Oracle Grid Engine software is a distributed resource management (DRM) system that manages the distribution of users' workloads to available compute resources. While compute resources in a typical datacenter have utilization rates that are on average 10%-25%, Oracle Grid Engine can help
a company increase utilization to 80%, 90% or even 95%. This significant improvement comes from the intelligent distribution of workload to the most appropriate available resources.

When users submit their work to Oracle Grid Engine as jobs, the software monitors the current state of all resources in the cluster and is able to assign these jobs to the best-suited resources. Oracle Grid Engine gives administrators both the flexibility to accurately model their computing
environments as resources and to translate business rules into policies that govern the use of those resources."

=================
Technical Details
=================
After installation an sgepasswd binary used as part of Oracle Gridengine is marked as a SUID binary:

[dave@localhost lx24-x86]$ ls -al sgepasswd
-r-s--x--x 1 root root 1109010 Dec 20 2010 sgepasswd

This binary appears to be vulnerable to a number of buffer overflows. The easiest to exploit is in the delete a password for a named account (-d) function. Other exploits can corrupt the sgepasswd file which appears to be written in another directory. If it is corrupt sgepasswd will not run
anymore. A sample exploit is shown below:

[dave@localhost lx24-x86]$ ./sgepasswd -d `perl -e 'print "\x90"x127 . "<exploit bytes obfuscated>"'`
sh-2.05b# id
uid=0(root) gid=0(root) groups=500(dave)

This would a allow a local low-privileged attacker to escalate their privileges.

===============
Fix Information
===============
This has been addresses as part of oracle April update:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html


NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close