104695 2003-06-14 19:52 /2 rader/ KF <dotslash@snosoft.com>
Importerad: 2003-06-14 19:52 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5216>
Ärende: SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue
------------------------------------------------------------
http://www.secnetops.biz/research
(104695) /KF <dotslash@snosoft.com>/----------------
Bilaga (text/plain) i text 104696
104696 2003-06-14 19:52 /75 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "SRT2003-06-13-1009.txt"
Importerad: 2003-06-14 19:52 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5217>
Bilaga (text/plain) till text 104695
Ärende: Bilaga (SRT2003-06-13-1009.txt) till: SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue
------------------------------------------------------------
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-06-13-1009
Product : Progress Database dbagent
Version : Versions 9.1 up to 9.1D06
Vendor : progress.com
Class : local
Criticality : High (to all Progress users)
Operating System(s) : Linux, SunOS, SCO, TRU64, *nix
High Level Explanation
************************************************************************
High Level Description : Poor usage of dlopen() causes local root
compromise
What to do : chmod -s /usr/dlc/bin/_dbagent
Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description :
Progress applications make the use of several helper .dll and .so
binaries. When looking for shared object files _dbagent looks at the
argument passed to the command line option "-installdir". No
verification is performed upon the object that is located thus local
non super users can make themselves root.
This vulnerability is a rehash of SRT2003-06-13-0945.txt with the
difference being the method by which the application determines where
the dlopen() should search.
elguapo@rh8 9.1C]$ cat /usr/dlc/version
echo PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
here we are using "-installdir /tmp" as the options to _dbagent
snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so")
memset(0xbfffece0, '\000', 303) = 0xbfffece0
strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0
dlopen("/tmp/lib/librocket_r.so", 257
This is a fake _init in the fake libjutil.so
uid=0(root) gid=500(elguapo) groups=500(elguapo)
a valid work around to nearly any Progress security hole is to remove
the suid bit from all binaries
Vendor Status : Patch will be in version 10.x
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
(104696) /KF <dotslash@snosoft.com>/------(Ombruten)