SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue

[KF <dotslash () snosoft com>]

http://www.secnetops.biz/research

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-06-13-1009
Product                 : Progress Database dbagent
Version                 : Versions 9.1 up to 9.1D06
Vendor                  : progress.com
Class                   : local
Criticality             : High (to all Progress users)
Operating System(s)     : Linux, SunOS, SCO, TRU64, *nix


High Level Explanation
************************************************************************
High Level Description  : Poor usage of dlopen() causes local root
compromise
What to do              : chmod -s /usr/dlc/bin/_dbagent 


Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description   :

Progress applications make the use of several helper .dll and .so binaries. 
When looking for shared object files _dbagent looks at the argument passed
to the command line option "-installdir". No verification is performed 
upon the object that is located thus local non super users can make 
themselves root. 

This vulnerability is a rehash of SRT2003-06-13-0945.txt with the 
difference being the method by which the application determines where the
dlopen() should search. 

elguapo@rh8 9.1C]$ cat /usr/dlc/version
echo PROGRESS Version 9.1C as of Thu Jun  7 10:03:59 EDT 2001

here we are using "-installdir /tmp" as the options to _dbagent

snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so") 
memset(0xbfffece0, '\000', 303)                   = 0xbfffece0
strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0
dlopen("/tmp/lib/librocket_r.so", 257
This is a fake _init in the fake libjutil.so
uid=0(root) gid=500(elguapo) groups=500(elguapo)


a valid work around to nearly any Progress security hole is to remove the 
suid bit from all binaries

Vendor Status           : Patch will be in version 10.x  
Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.