SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Progress Database Vendors:   Progress Software Corporation
Progress Database Buffer Overflow in BINPATHX Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1006577
SecurityTracker URL:  http://securitytracker.com/id/1006577
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 15 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): v9.1D up to 9.1D05
Description:   A buffer overflow vulnerability was reported in the Progress Database in the BINPATHX variable. A local user can obtain root privileges on the system.

Secure Network Operations Strategic Reconnaissance Team reported that the software does not perform bounds checking on the BINPATHX variable. A local user can reportedly set the variable to a specially crafted value and then call the database to cause the database to execute arbitrary code with root privileges.

Impact:   A local user can execute arbitrary code with root privileges.
Solution:   The vendor has released a fixed version (9.1D05). The vendor has also released a patch. For information on the patch, see:

http://www.progress.com/patches/patchlst/91D-156v.htm

Vendor URL:  www.progress.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  SRT2003-04-15-1029 - Progres BINPATHX overflow


--------------070903040401000503080902
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

http://www.secnetops.biz/research





--------------070903040401000503080902
Content-Type: text/plain;
 name="SRT2003-04-15-1029.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SRT2003-04-15-1029.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team	            research@secnetops.com
Team Lead Contact		                  kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number		: SRT2003-04-15-1029
Product			: Progress Database
Version			: v9.1D up to 9.1D05
Vendor			: progress.com
Class			: local
Criticality             : High (to all Progress users)
Operating System(s)	: Linux, SunOS, HPUX, *nix


High Level Explanation
************************************************************************
High Level Description	: unchecked buffer in BINPATHX leads to overflow
What to do		: Apply Progress patch 9.1D05 which is available 
from http://www.progress.com/patches/patchlst/91D-156v.htm


Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC
Low Level Description	: 

With version 9.1D several things have changed in the Progress codebase. 
One such change is the addition of the BINPATHX variable. At the first 
glance the BINPATHX variable appears to tell Progress binaries where
to find shared library files and other installation files. Unfortunately
while reading the variable no bounds checking is done. If an attacker
supplies enough data an overflow will occur thus overwriting critical
memory registers including the eip. 

Debugger output		:
rootme@gentoo rootme $ export BINPATHX=`perl -e 'print "A" x 240'`
rootme@gentoo rootme $ gdb -q /usr/dlc/bin/_proapsv
(gdb) r
Starting program: /usr/dlc/bin/_proapsv

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) bt
#0  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

Patch or Workaround	: install 9.1D05 or chmod -s all suid binaries
http://www.progress.com/patches/patchlst/91D-156v.htm
Vendor Status		: vendor has provided a patch 
Bugtraq URL		: to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.


--------------070903040401000503080902--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC