Vulnwatch mailing list archives
SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue
From: KF <dotslash () snosoft com>
Date: Fri, 13 Jun 2003 22:22:06 -0400
http://www.secnetops.biz/research
Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research () secnetops com Team Lead Contact kf () secnetops com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-06-13-1009 Product : Progress Database dbagent Version : Versions 9.1 up to 9.1D06 Vendor : progress.com Class : local Criticality : High (to all Progress users) Operating System(s) : Linux, SunOS, SCO, TRU64, *nix High Level Explanation ************************************************************************ High Level Description : Poor usage of dlopen() causes local root compromise What to do : chmod -s /usr/dlc/bin/_dbagent Technical Details ************************************************************************ Proof Of Concept Status : SNO has exploits for the described situation Low Level Description : Progress applications make the use of several helper .dll and .so binaries. When looking for shared object files _dbagent looks at the argument passed to the command line option "-installdir". No verification is performed upon the object that is located thus local non super users can make themselves root. This vulnerability is a rehash of SRT2003-06-13-0945.txt with the difference being the method by which the application determines where the dlopen() should search. elguapo@rh8 9.1C]$ cat /usr/dlc/version echo PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001 here we are using "-installdir /tmp" as the options to _dbagent snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so") memset(0xbfffece0, '\000', 303) = 0xbfffece0 strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0 dlopen("/tmp/lib/librocket_r.so", 257 This is a fake _init in the fake libjutil.so uid=0(root) gid=500(elguapo) groups=500(elguapo) a valid work around to nearly any Progress security hole is to remove the suid bit from all binaries Vendor Status : Patch will be in version 10.x Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research () secnetops com for information on how to obtain exploit information.
Current thread:
- SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue KF (Jun 14)