[VulnWatch] SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue

From: KF (dotslash_at_snosoft.com)
Date: 06/14/03

  • Next message: KF: "[VulnWatch] SRT2003-06-13-0945 - Progress PATH based dlopen() issue" 
    Date: Fri, 13 Jun 2003 22:22:06 -0400
To: bugtraq@securityfocus.com

    http://www.secnetops.biz/research

    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-06-13-1009
    Product : Progress Database dbagent
    Version : Versions 9.1 up to 9.1D06
    Vendor : progress.com
    Class : local
    Criticality : High (to all Progress users)
    Operating System(s) : Linux, SunOS, SCO, TRU64, *nix

    High Level Explanation
    ************************************************************************
    High Level Description : Poor usage of dlopen() causes local root
    compromise
    What to do : chmod -s /usr/dlc/bin/_dbagent

    Technical Details
    ************************************************************************
    Proof Of Concept Status : SNO has exploits for the described situation
    Low Level Description :

    Progress applications make the use of several helper .dll and .so binaries.
    When looking for shared object files _dbagent looks at the argument passed
    to the command line option "-installdir". No verification is performed
    upon the object that is located thus local non super users can make
    themselves root.

    This vulnerability is a rehash of SRT2003-06-13-0945.txt with the
    difference being the method by which the application determines where the
    dlopen() should search.

    elguapo@rh8 9.1C]$ cat /usr/dlc/version
    echo PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001

    here we are using "-installdir /tmp" as the options to _dbagent

    snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so")
    memset(0xbfffece0, '\000', 303) = 0xbfffece0
    strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0
    dlopen("/tmp/lib/librocket_r.so", 257
    This is a fake _init in the fake libjutil.so
    uid=0(root) gid=500(elguapo) groups=500(elguapo)

    a valid work around to nearly any Progress security hole is to remove the
    suid bit from all binaries

    Vendor Status : Patch will be in version 10.x
    Bugtraq URL : to be assigned

    ------------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.

  • Next message: KF: "[VulnWatch] SRT2003-06-13-0945 - Progress PATH based dlopen() issue"

    Relevant Pages