SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Progress Database Vendors:   Progress Software Corporation
Progress Database _dbagent Command Option Lets Local Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1006986
SecurityTracker URL:  http://securitytracker.com/id/1006986
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  
Version(s): 9.1 - 9.1D06
Description:   A vulnerability was reported in the Progress Database in the _dbagent binary. A local user can obtain root privileges on the target system.

Secure Network Operations Strategic Reconnaissance Team reported that when the _dbagent binary is executed, the database will load shared object files with the dlopen() function based on the user-supplied '-installdir' command line option. A local user can specify an installdir location that contains an alternate version of the required object files to cause the user's replacement versions to be executed.

A local user can execute the _dbagent binary, which is configured with set user id (setuid) root user privileges, to cause the user's replacement object file to be executed with root privileges. This will yield root privileges to the local user.

Impact:   A local user can execute arbitrary code with root privileges.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to issue a fix in version 10.x.

The report indicates that, as a workaround, you can remove the setuid bit from the _dbagent binary with the following command:

chmod -s /usr/dlc/bin/_dbagent

Vendor URL:  www.progress.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [0day] SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen()


-= 0day - Freedom of Voice - Freedom of Choice =-

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-06-13-1009
Product                 : Progress Database dbagent
Version                 : Versions 9.1 up to 9.1D06
Vendor                  : progress.com
Class                   : local
Criticality             : High (to all Progress users)
Operating System(s)     : Linux, SunOS, SCO, TRU64, *nix


High Level Explanation
************************************************************************
High Level Description  : Poor usage of dlopen() causes local root
compromise
What to do              : chmod -s /usr/dlc/bin/_dbagent


Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description   :

Progress applications make the use of several helper .dll and .so binaries.
When looking for shared object files _dbagent looks at the argument passed
to the command line option "-installdir". No verification is performed
upon the object that is located thus local non super users can make
themselves root.

This vulnerability is a rehash of SRT2003-06-13-0945.txt with the
difference being the method by which the application determines where the
dlopen() should search.

elguapo@rh8 9.1C]$ cat /usr/dlc/version
echo PROGRESS Version 9.1C as of Thu Jun  7 10:03:59 EDT 2001

here we are using "-installdir /tmp" as the options to _dbagent

snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so")
memset(0xbfffece0, '\000', 303)                   = 0xbfffece0
strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0
dlopen("/tmp/lib/librocket_r.so", 257
This is a fake _init in the fake libjutil.so
uid=0(root) gid=500(elguapo) groups=500(elguapo)


a valid work around to nearly any Progress security hole is to remove the
suid bit from all binaries

Vendor Status           : Patch will be in version 10.x
Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.


_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC