SRT2003-06-13-1009.txt

`Secure Network Operations, Inc. http://www.secnetops.com  
Strategic Reconnaissance Team [email protected]  
Team Lead Contact [email protected]  
  
  
Our Mission:  
************************************************************************  
Secure Network Operations offers expertise in Networking, Intrusion   
Detection Systems (IDS), Software Security Validation, and   
Corporate/Private Network Security. Our mission is to facilitate a   
secure and reliable Internet and inter-enterprise communications   
infrastructure through the products and services we offer.   
  
  
Quick Summary:  
************************************************************************  
Advisory Number : SRT2003-06-13-1009  
Product : Progress Database dbagent  
Version : Versions 9.1 up to 9.1D06  
Vendor : progress.com  
Class : local  
Criticality : High (to all Progress users)  
Operating System(s) : Linux, SunOS, SCO, TRU64, *nix  
  
  
High Level Explanation  
************************************************************************  
High Level Description : Poor usage of dlopen() causes local root  
compromise  
What to do : chmod -s /usr/dlc/bin/_dbagent   
  
  
Technical Details  
************************************************************************  
Proof Of Concept Status : SNO has exploits for the described situation  
Low Level Description :  
  
Progress applications make the use of several helper .dll and .so binaries.   
When looking for shared object files _dbagent looks at the argument passed  
to the command line option "-installdir". No verification is performed   
upon the object that is located thus local non super users can make   
themselves root.   
  
This vulnerability is a rehash of SRT2003-06-13-0945.txt with the   
difference being the method by which the application determines where the  
dlopen() should search.   
  
elguapo@rh8 9.1C]$ cat /usr/dlc/version  
echo PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001  
  
here we are using "-installdir /tmp" as the options to _dbagent  
  
snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so")   
memset(0xbfffece0, '\000', 303) = 0xbfffece0  
strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0  
dlopen("/tmp/lib/librocket_r.so", 257  
This is a fake _init in the fake libjutil.so  
uid=0(root) gid=500(elguapo) groups=500(elguapo)  
  
  
a valid work around to nearly any Progress security hole is to remove the   
suid bit from all binaries  
  
Vendor Status : Patch will be in version 10.x   
Bugtraq URL : to be assigned  
  
------------------------------------------------------------------------  
This advisory was released by Secure Network Operations,Inc. as a matter  
of notification to help administrators protect their networks against  
the described vulnerability. Exploit source code is no longer released  
in our advisories. Contact [email protected] for information on how  
to obtain exploit information.  
  
  
`