Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: bt410.txt

Progress _dbagent -installdir dlopen() issue

Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Secure Network Operations, Inc. 
Strategic Reconnaissance Team     
Team Lead Contact                       

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

Quick Summary:
Advisory Number         : SRT2003-06-13-1009
Product                 : Progress Database dbagent
Version                 : Versions 9.1 up to 9.1D06
Vendor                  :
Class                   : local
Criticality             : High (to all Progress users)
Operating System(s)     : Linux, SunOS, SCO, TRU64, *nix

High Level Explanation
High Level Description  : Poor usage of dlopen() causes local root
What to do              : chmod -s /usr/dlc/bin/_dbagent 

Technical Details
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description   :

Progress applications make the use of several helper .dll and .so binaries. 
When looking for shared object files _dbagent looks at the argument passed
to the command line option "-installdir". No verification is performed 
upon the object that is located thus local non super users can make 
themselves root. 

This vulnerability is a rehash of SRT2003-06-13-0945.txt with the 
difference being the method by which the application determines where the
dlopen() should search. 

elguapo@rh8 9.1C]$ cat /usr/dlc/version
echo PROGRESS Version 9.1C as of Thu Jun  7 10:03:59 EDT 2001

here we are using "-installdir /tmp" as the options to _dbagent

memset(0xbfffece0, '\000', 303)                   = 0xbfffece0
strncpy(0xbfffece0, "/tmp/lib/", 303) = 0xbfffece0
dlopen("/tmp/lib/", 257
This is a fake _init in the fake
uid=0(root) gid=500(elguapo) groups=500(elguapo)

a valid work around to nearly any Progress security hole is to remove the 
suid bit from all binaries

Vendor Status           : Patch will be in version 10.x  
Bugtraq URL             : to be assigned

This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact for information on how
to obtain exploit information.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH