TUCoPS :: Unix :: General :: bt410.txt

Progress _dbagent -installdir dlopen() issue


--------------080203020803040605080401
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

http://www.secnetops.biz/research

--------------080203020803040605080401
Content-Type: text/plain;
 name="SRT2003-06-13-1009.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SRT2003-06-13-1009.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-06-13-1009
Product                 : Progress Database dbagent
Version                 : Versions 9.1 up to 9.1D06
Vendor                  : progress.com
Class                   : local
Criticality             : High (to all Progress users)
Operating System(s)     : Linux, SunOS, SCO, TRU64, *nix


High Level Explanation
************************************************************************
High Level Description  : Poor usage of dlopen() causes local root
compromise
What to do              : chmod -s /usr/dlc/bin/_dbagent 


Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description   :

Progress applications make the use of several helper .dll and .so binaries. 
When looking for shared object files _dbagent looks at the argument passed
to the command line option "-installdir". No verification is performed 
upon the object that is located thus local non super users can make 
themselves root. 

This vulnerability is a rehash of SRT2003-06-13-0945.txt with the 
difference being the method by which the application determines where the
dlopen() should search. 

elguapo@rh8 9.1C]$ cat /usr/dlc/version
echo PROGRESS Version 9.1C as of Thu Jun  7 10:03:59 EDT 2001

here we are using "-installdir /tmp" as the options to _dbagent

snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so") 
memset(0xbfffece0, '\000', 303)                   = 0xbfffece0
strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0
dlopen("/tmp/lib/librocket_r.so", 257
This is a fake _init in the fake libjutil.so
uid=0(root) gid=500(elguapo) groups=500(elguapo)


a valid work around to nearly any Progress security hole is to remove the 
suid bit from all binaries

Vendor Status           : Patch will be in version 10.x  
Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------080203020803040605080401--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH