98841 2003-04-15 18:09 /6 rader/ KF <dotslash@snosoft.com> Importerad: 2003-04-15 18:09 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4514> Ärende: SRT2003-04-15-1029 - Progres BINPATHX overflow ------------------------------------------------------------ http://www.secnetops.biz/research (98841) /KF <dotslash@snosoft.com>/----------------- Bilaga (text/plain) i text 98842 98842 2003-04-15 18:09 /70 rader/ KF <dotslash@snosoft.com> Bilagans filnamn: "SRT2003-04-15-1029.txt" Importerad: 2003-04-15 18:09 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4515> Bilaga (text/plain) till text 98841 Ärende: Bilaga (SRT2003-04-15-1029.txt) till: SRT2003-04-15-1029 - Progres BINPATHX overflow ------------------------------------------------------------ Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-04-15-1029 Product : Progress Database Version : v9.1D up to 9.1D05 Vendor : progress.com Class : local Criticality : High (to all Progress users) Operating System(s) : Linux, SunOS, HPUX, *nix High Level Explanation ************************************************************************ High Level Description : unchecked buffer in BINPATHX leads to overflow What to do : Apply Progress patch 9.1D05 which is available from http://www.progress.com/patches/patchlst/91D-156v.htm Technical Details ************************************************************************ Proof Of Concept Status : Secure Network Operations does have PoC Low Level Description : With version 9.1D several things have changed in the Progress codebase. One such change is the addition of the BINPATHX variable. At the first glance the BINPATHX variable appears to tell Progress binaries where to find shared library files and other installation files. Unfortunately while reading the variable no bounds checking is done. If an attacker supplies enough data an overflow will occur thus overwriting critical memory registers including the eip. Debugger output : rootme@gentoo rootme $ export BINPATHX=`perl -e 'print "A" x 240'` rootme@gentoo rootme $ gdb -q /usr/dlc/bin/_proapsv (gdb) r Starting program: /usr/dlc/bin/_proapsv Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) bt #0 0x41414141 in ?? () Cannot access memory at address 0x41414141 Patch or Workaround : install 9.1D05 or chmod -s all suid binaries http://www.progress.com/patches/patchlst/91D-156v.htm Vendor Status : vendor has provided a patch Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information. (98842) /KF <dotslash@snosoft.com>/-------(Ombruten)