[VulnWatch] SRT2003-04-15-1029 - Progres BINPATHX overflow
From: KF (dotslash@snosoft.com)
Date: 04/15/03
- Previous message: CORE Security Technologies Advisories: "[VulnWatch] CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Apr 2003 11:32:43 -0500 From: KF <dotslash@snosoft.com> To: bugtraq@securityfocus.com
http://www.secnetops.biz/research
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-04-15-1029
Product : Progress Database
Version : v9.1D up to 9.1D05
Vendor : progress.com
Class : local
Criticality : High (to all Progress users)
Operating System(s) : Linux, SunOS, HPUX, *nix
High Level Explanation
************************************************************************
High Level Description : unchecked buffer in BINPATHX leads to overflow
What to do : Apply Progress patch 9.1D05 which is available
from http://www.progress.com/patches/patchlst/91D-156v.htm
Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC
Low Level Description :
With version 9.1D several things have changed in the Progress codebase.
One such change is the addition of the BINPATHX variable. At the first
glance the BINPATHX variable appears to tell Progress binaries where
to find shared library files and other installation files. Unfortunately
while reading the variable no bounds checking is done. If an attacker
supplies enough data an overflow will occur thus overwriting critical
memory registers including the eip.
Debugger output :
rootme@gentoo rootme $ export BINPATHX=`perl -e 'print "A" x 240'`
rootme@gentoo rootme $ gdb -q /usr/dlc/bin/_proapsv
(gdb) r
Starting program: /usr/dlc/bin/_proapsv
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) bt
#0 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
Patch or Workaround : install 9.1D05 or chmod -s all suid binaries
http://www.progress.com/patches/patchlst/91D-156v.htm
Vendor Status : vendor has provided a patch
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
- Previous message: CORE Security Technologies Advisories: "[VulnWatch] CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
