13 local PoC root exploit programs for Progress Database

From: KF (dotslashat_private)
Date: Mon Jun 10 2002 - 19:13:30 PDT

  • Next message: Mauricio Freitas: "Belkin GCable/DSL router problem with http requests"

    Over the last couple years I have released several advisories on the 
    security of the Progress database http://www.progress.com . Several 
    versions of progres have since been retired and thus you should not be 
    using them. Attached is a package containing 13 exploits to obtain root 
    from Progress
    databases of various patch dates and release versions. Most of these 
    exploits can be easily modified to work on all versions (from 63E) up 
    and including the latest version 91d (like 83dbutils/83_proutil). There 
    about 4 more exploits I need to code but they are a bit more difficult 
    to exploit because they involve malloc() or free(). All of these issues 
    should have already been addressed by progress patches, but be careful 
    with which patch you apply... old Progerss patches are like rolling dice.
    
    These exploits will be available shortly at http://www.snosoft.com/research
    
    Here is a directory listing of the attached tar file to give you an idea 
    of which programs are easily exploitable.
    
    [root@localhost working]# ls
    _dbutil-ex.pl    _proapsv-ex.pl   _progres_fileoverwrite.sh  _rfutil-ex.pl
    _mprosrva-ex.pl  _probuild-ex.pl  _prooibk-ex.pl
    _mprosrv-ex.pl   _progresa-ex.pl  _prooidv-ex.pl
    _mprshut-ex.pl   _progres-ex.pl   _proutil-ex.pl
    
    Some of you may note that a few of these are not suid by default but I 
    believe the following Kbase articles make that irrelevant.
    
    Kbase id 12538 says the following:
    
    EXPLANATION:
    
    In order for users to start a multi-user session for Progress, the
    following permissions should be maintained.
    
    Progress executables:
    
         The Progress executables should have read, write, and setuid 
         for the user. The group and other should also have execute 
         permissions. The owner of the executables should be root. This is
      
         accomplished with the the following steps:
    
              1) Log in as root or switch user to root.
    
              2) Move to the DLC directory.
    
              3) Type the following set of commands:
    
                   chown root _*
                   chmod 4775 _*
                   chmod 755 _sqlsrv2
                   chmod 755 _waitfor
    
    Or even better 
    
    Kbase id 19341 says the following: 
    When access to the Patch Web Site is available, go to:
    http://www.progress.com/patches/
    ...
    copy -rom dlc/* $DLC 
    9. Change the permissions on the new files:
    
    find $DLC -exec chown root {} \;
    chmod 4755 $DLC/bin/_dbutil
    chmod 4755 $DLC/bin/_mprosrv
    chmod 4755 $DLC/bin/_mprshut
    chmod 4755 $DLC/bin/_orasrv
    chmod 4755 $DLC/bin/_proapsv
    chmod 4755 $DLC/bin/_probrkr
    chmod 4755 $DLC/bin/_probuild
    chmod 4755 $DLC/bin/_progres
    chmod 4755 $DLC/bin/_prooibk
    chmod 4755 $DLC/bin/_prooidv
    chmod 4755 $DLC/bin/_proutil
    chmod 4755 $DLC/bin/_rfutil
    chmod 4755 $DLC/bin/_sqlsrv2
    chmod 4755 $DLC/bin/orarx
    chmod 4755 $DLC/bin/prolib
    chmod 4755 $DLC/bin/sqlcpp
    
    Enjoy folks. 
    
    
    -KF 
    
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 09:50:29 PDT