[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NGS000107 Technical Advisory: Oracle Gridengine sgepasswd Buffer Overflow

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: NGS000107 Technical Advisory: Oracle Gridengine sgepasswd Buffer Overflow
From: NCC Group Research <research@xxxxxxxxxxxx>
Date: Fri, 30 Nov 2012 10:12:37 +0000

=======
Summary
=======
Name: Oracle Gridengine sgepasswd Buffer Overflow
Release Date: 30 November 2012
Reference: NGS00107
Discoverer: Edward Torkington <edward.torkington@xxxxxxxxxxxxx>
Vendor: Oracle
Vendor Reference: 
Systems Affected: Multiple packages - version 6_2u7
Risk: High
Status: Published

========
TimeLine
========
Discovered:  1 August 2011
Released:  1 August 2011
Approved:  1 August 2011
Reported:  3 August 2011
Fixed: 17 April 2012
Published: 30 November 2012

===========
Description
===========
http://www.oracle.com/us/products/tools/oracle-grid-engine-075549.html

"Oracle Grid Engine software is a distributed resource management (DRM) system 
that manages the distribution of users' workloads to available compute 
resources. While compute resources in a typical datacenter have utilization 
rates that are on average 10%-25%, Oracle Grid Engine can help
a company increase utilization to 80%, 90% or even 95%. This significant 
improvement comes from the intelligent distribution of workload to the most 
appropriate available resources.

When users submit their work to Oracle Grid Engine as jobs, the software 
monitors the current state of all resources in the cluster and is able to 
assign these jobs to the best-suited resources. Oracle Grid Engine gives 
administrators both the flexibility to accurately model their computing
environments as resources and to translate business rules into policies that 
govern the use of those resources."

=================
Technical Details
=================
After installation an sgepasswd binary used as part of Oracle Gridengine is 
marked as a SUID binary:

[dave@localhost lx24-x86]$ ls -al sgepasswd
-r-s--x--x    1 root     root      1109010 Dec 20  2010 sgepasswd

This binary appears to be vulnerable to a number of buffer overflows. The 
easiest to exploit is in the delete a password for a named account (-d) 
function. Other exploits can corrupt the sgepasswd file which appears to be 
written in another directory. If it is corrupt sgepasswd will not run
anymore. A sample exploit is shown below:

[dave@localhost lx24-x86]$ ./sgepasswd -d `perl -e 'print "\x90"x127 . 
"<exploit bytes obfuscated>"'`
sh-2.05b# id
uid=0(root) gid=0(root) groups=500(dave)

This would a allow a local low-privileged attacker to escalate their privileges.

===============
Fix Information
===============
This has been addresses as part of oracle April update:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html


NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a 
href="http://www.mimecast.com";>http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Prev by Date: NGS000193 Technical Advisory: DataArmor Full Disk Encryption Restricted Environment breakout
Next by Date: NGS000196 Technical Advisory: Nagios XI Network Monitor OS Command Injection
Previous by thread: NGS000193 Technical Advisory: DataArmor Full Disk Encryption Restricted Environment breakout
Next by thread: NGS000196 Technical Advisory: Nagios XI Network Monitor OS Command Injection
Index(es):
- Date
- Thread