Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SRT2003-04-15-1029 - Progres BINPATHX overflow

From: KF <dotslash () snosoft com>
Date: Tue, 15 Apr 2003 11:32:43 -0500
http://www.secnetops.biz/research





Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-04-15-1029
Product                 : Progress Database
Version                 : v9.1D up to 9.1D05
Vendor                  : progress.com
Class                   : local
Criticality             : High (to all Progress users)
Operating System(s)     : Linux, SunOS, HPUX, *nix


High Level Explanation
************************************************************************
High Level Description  : unchecked buffer in BINPATHX leads to overflow
What to do              : Apply Progress patch 9.1D05 which is available 
from http://www.progress.com/patches/patchlst/91D-156v.htm


Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC
Low Level Description   : 

With version 9.1D several things have changed in the Progress codebase. 
One such change is the addition of the BINPATHX variable. At the first 
glance the BINPATHX variable appears to tell Progress binaries where
to find shared library files and other installation files. Unfortunately
while reading the variable no bounds checking is done. If an attacker
supplies enough data an overflow will occur thus overwriting critical
memory registers including the eip. 

Debugger output         :
rootme@gentoo rootme $ export BINPATHX=`perl -e 'print "A" x 240'`
rootme@gentoo rootme $ gdb -q /usr/dlc/bin/_proapsv
(gdb) r
Starting program: /usr/dlc/bin/_proapsv

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) bt
#0  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

Patch or Workaround     : install 9.1D05 or chmod -s all suid binaries
http://www.progress.com/patches/patchlst/91D-156v.htm
Vendor Status           : vendor has provided a patch 
Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.
Previous By Date Next
Previous By Thread Next

Current thread: