Progress 4GL Application Compiler Overflow

2003-06-20T08:47:23
ID OSVDB:2187
Type osvdb
Reporter OSVDB
Modified 2003-06-20T08:47:23

Description

Vulnerability Description

The Progress 4GL Application Compiler on Windows and Unix platforms contains a buffer overflow in the processing of user-defined data types when compiling .p Progress files. This could allow commands to be executed by the user executing the compiler.

Technical Description

The WIN32 and Unix variants of the Progress 4GL Application Compiler suffer from a buffer overflow in the definition of datatypes. The compiler can be accessed in a number of ways, for example using the "-p" option with _progres or prowin32.exe, as well as from within the Procedure Editor.

An example of a valid datatype would be "char", "integer", "date", etc. When the compiler attempts to parse an invalid datatype the user is presented with the following message.

Invalid datatype -- sample types are: char, integer, date, logical (222) overflow.p Could not understand line 1. (196)

Immediately after this message the application prompts the user to press the space bar to continue, then it promptly exits.

If however the length of the invalid datatype is beyond 364 chars the Progress Compiler will segfault due to poor usage of memmove(). An example of such a data type is as follows.

def var andrew as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA00001111

In the above example 0000 is the location of the ebp and 1111 represents where we wish the eip to point to.

On *nix platforms the _progres binary is suid root however the application does drop root privs before executing the .p file. Exploiting this issue would only grant privs of the user running _progres.

On Win32 exploitation can occur from within the Progress Application Compiler tool which simply invokes "prowin32.exe -p". Again privs of the user running prowin32 would be obtained.

This issue has added risk for Win32 users due to the fact that when using the Progress Application Compiler the user is prompted to supply a file or directory name for compilation. If a directory name if provided the compiler will search for *.p and attempt to compile every instance that is found. If compiling occurs from a shared drive this could become an issue because an attacker only need to drop a malicious .p file into the compile tree. Shortly after clicking the "Start Compile" button you will notice that the Progress Application Compiler is no longer responding if someone has planted such a file.

Solution Description

Upgrade to the latest version of the compiler available from the vendor. If unable to upgrade as a work around, do not compile .p files from unknown sources or without properly reviewing the code.

Short Description

The Progress 4GL Application Compiler on Windows and Unix platforms contains a buffer overflow in the processing of user-defined data types when compiling .p Progress files. This could allow commands to be executed by the user executing the compiler.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-06/0152.html ISS X-Force ID: 12383 CVE-2003-0485 Bugtraq ID: 7997