Type packetstorm
Reporter Strategic Reconnaissance Team
Modified 2003-06-14T00:00:00


                                            `Secure Network Operations, Inc.  
Strategic Reconnaissance Team  
Team Lead Contact  
Our Mission:  
Secure Network Operations offers expertise in Networking, Intrusion   
Detection Systems (IDS), Software Security Validation, and   
Corporate/Private Network Security. Our mission is to facilitate a   
secure and reliable Internet and inter-enterprise communications   
infrastructure through the products and services we offer.   
Quick Summary:  
Advisory Number : SRT2003-06-13-1009  
Product : Progress Database dbagent  
Version : Versions 9.1 up to 9.1D06  
Vendor :  
Class : local  
Criticality : High (to all Progress users)  
Operating System(s) : Linux, SunOS, SCO, TRU64, *nix  
High Level Explanation  
High Level Description : Poor usage of dlopen() causes local root  
What to do : chmod -s /usr/dlc/bin/_dbagent   
Technical Details  
Proof Of Concept Status : SNO has exploits for the described situation  
Low Level Description :  
Progress applications make the use of several helper .dll and .so binaries.   
When looking for shared object files _dbagent looks at the argument passed  
to the command line option "-installdir". No verification is performed   
upon the object that is located thus local non super users can make   
themselves root.   
This vulnerability is a rehash of SRT2003-06-13-0945.txt with the   
difference being the method by which the application determines where the  
dlopen() should search.   
elguapo@rh8 9.1C]$ cat /usr/dlc/version  
echo PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001  
here we are using "-installdir /tmp" as the options to _dbagent  
memset(0xbfffece0, '\000', 303) = 0xbfffece0  
strncpy(0xbfffece0, "/tmp/lib/", 303) = 0xbfffece0  
dlopen("/tmp/lib/", 257  
This is a fake _init in the fake  
uid=0(root) gid=500(elguapo) groups=500(elguapo)  
a valid work around to nearly any Progress security hole is to remove the   
suid bit from all binaries  
Vendor Status : Patch will be in version 10.x   
Bugtraq URL : to be assigned  
This advisory was released by Secure Network Operations,Inc. as a matter  
of notification to help administrators protect their networks against  
the described vulnerability. Exploit source code is no longer released  
in our advisories. Contact for information on how  
to obtain exploit information.