|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: KF (dotslash
snosoft.com)Date: Mon Jun 10 2002 - 21:13:30 CDT
Over the last couple years I have released several advisories on the
security of the Progress database http://www.progress.com . Several
versions of progres have since been retired and thus you should not be
using them. Attached is a package containing 13 exploits to obtain root
from Progress
databases of various patch dates and release versions. Most of these
exploits can be easily modified to work on all versions (from 63E) up
and including the latest version 91d (like 83dbutils/83_proutil). There
about 4 more exploits I need to code but they are a bit more difficult
to exploit because they involve malloc() or free(). All of these issues
should have already been addressed by progress patches, but be careful
with which patch you apply... old Progerss patches are like rolling dice.
These exploits will be available shortly at http://www.snosoft.com/research
Here is a directory listing of the attached tar file to give you an idea
of which programs are easily exploitable.
[rootlocalhost working]# ls
_dbutil-ex.pl _proapsv-ex.pl _progres_fileoverwrite.sh _rfutil-ex.pl
_mprosrva-ex.pl _probuild-ex.pl _prooibk-ex.pl
_mprosrv-ex.pl _progresa-ex.pl _prooidv-ex.pl
_mprshut-ex.pl _progres-ex.pl _proutil-ex.pl
Some of you may note that a few of these are not suid by default but I
believe the following Kbase articles make that irrelevant.
Kbase id 12538 says the following:
EXPLANATION:
In order for users to start a multi-user session for Progress, the
following permissions should be maintained.
Progress executables:
The Progress executables should have read, write, and setuid
for the user. The group and other should also have execute
permissions. The owner of the executables should be root. This is
accomplished with the the following steps:
1) Log in as root or switch user to root.
2) Move to the DLC directory.
3) Type the following set of commands:
chown root _*
chmod 4775 _*
chmod 755 _sqlsrv2
chmod 755 _waitfor
Or even better
Kbase id 19341 says the following:
When access to the Patch Web Site is available, go to:
http://www.progress.com/patches/
...
copy -rom dlc/* $DLC
9. Change the permissions on the new files:
find $DLC -exec chown root {} \;
chmod 4755 $DLC/bin/_dbutil
chmod 4755 $DLC/bin/_mprosrv
chmod 4755 $DLC/bin/_mprshut
chmod 4755 $DLC/bin/_orasrv
chmod 4755 $DLC/bin/_proapsv
chmod 4755 $DLC/bin/_probrkr
chmod 4755 $DLC/bin/_probuild
chmod 4755 $DLC/bin/_progres
chmod 4755 $DLC/bin/_prooibk
chmod 4755 $DLC/bin/_prooidv
chmod 4755 $DLC/bin/_proutil
chmod 4755 $DLC/bin/_rfutil
chmod 4755 $DLC/bin/_sqlsrv2
chmod 4755 $DLC/bin/orarx
chmod 4755 $DLC/bin/prolib
chmod 4755 $DLC/bin/sqlcpp
Enjoy folks.
-KF
- application/octet-stream attachment: working.tar
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]