13 local PoC root exploit programs for Progress Database

[KF <dotslash () snosoft com>]

Over the last couple years I have released several advisories on the 
security of the Progress database http://www.progress.com . Several 
versions of progres have since been retired and thus you should not be 
using them. Attached is a package containing 13 exploits to obtain root 
from Progress
databases of various patch dates and release versions. Most of these 
exploits can be easily modified to work on all versions (from 63E) up 
and including the latest version 91d (like 83dbutils/83_proutil). There 
about 4 more exploits I need to code but they are a bit more difficult 
to exploit because they involve malloc() or free(). All of these issues 
should have already been addressed by progress patches, but be careful 
with which patch you apply... old Progerss patches are like rolling dice.

These exploits will be available shortly at http://www.snosoft.com/research

Here is a directory listing of the attached tar file to give you an idea 
of which programs are easily exploitable.

[root@localhost working]# ls
_dbutil-ex.pl    _proapsv-ex.pl   _progres_fileoverwrite.sh  _rfutil-ex.pl
_mprosrva-ex.pl  _probuild-ex.pl  _prooibk-ex.pl
_mprosrv-ex.pl   _progresa-ex.pl  _prooidv-ex.pl
_mprshut-ex.pl   _progres-ex.pl   _proutil-ex.pl

Some of you may note that a few of these are not suid by default but I 
believe the following Kbase articles make that irrelevant.

Kbase id 12538 says the following:

EXPLANATION:

In order for users to start a multi-user session for Progress, the
following permissions should be maintained.

Progress executables:

    The Progress executables should have read, write, and setuid 
    for the user. The group and other should also have execute 
    permissions. The owner of the executables should be root. This is
 
    accomplished with the the following steps:

         1) Log in as root or switch user to root.

         2) Move to the DLC directory.

         3) Type the following set of commands:

              chown root _*
              chmod 4775 _*
              chmod 755 _sqlsrv2
              chmod 755 _waitfor

Or even better 

Kbase id 19341 says the following: 
When access to the Patch Web Site is available, go to:
http://www.progress.com/patches/
...
copy -rom dlc/* $DLC 
9. Change the permissions on the new files:

find $DLC -exec chown root {} \;
chmod 4755 $DLC/bin/_dbutil
chmod 4755 $DLC/bin/_mprosrv
chmod 4755 $DLC/bin/_mprshut
chmod 4755 $DLC/bin/_orasrv
chmod 4755 $DLC/bin/_proapsv
chmod 4755 $DLC/bin/_probrkr
chmod 4755 $DLC/bin/_probuild
chmod 4755 $DLC/bin/_progres
chmod 4755 $DLC/bin/_prooibk
chmod 4755 $DLC/bin/_prooidv
chmod 4755 $DLC/bin/_proutil
chmod 4755 $DLC/bin/_rfutil
chmod 4755 $DLC/bin/_sqlsrv2
chmod 4755 $DLC/bin/orarx
chmod 4755 $DLC/bin/prolib
chmod 4755 $DLC/bin/sqlcpp

Enjoy folks. 


-KF

Attachment: working.tar
Description: