Home page logo
/

bugtraq logo Bugtraq mailing list archives

13 local PoC root exploit programs for Progress Database
From: KF <dotslash () snosoft com>
Date: Mon, 10 Jun 2002 22:13:30 -0400

Over the last couple years I have released several advisories on the security of the Progress database http://www.progress.com . Several versions of progres have since been retired and thus you should not be using them. Attached is a package containing 13 exploits to obtain root from Progress databases of various patch dates and release versions. Most of these exploits can be easily modified to work on all versions (from 63E) up and including the latest version 91d (like 83dbutils/83_proutil). There about 4 more exploits I need to code but they are a bit more difficult to exploit because they involve malloc() or free(). All of these issues should have already been addressed by progress patches, but be careful with which patch you apply... old Progerss patches are like rolling dice.

These exploits will be available shortly at http://www.snosoft.com/research

Here is a directory listing of the attached tar file to give you an idea of which programs are easily exploitable.

[root () localhost working]# ls
_dbutil-ex.pl    _proapsv-ex.pl   _progres_fileoverwrite.sh  _rfutil-ex.pl
_mprosrva-ex.pl  _probuild-ex.pl  _prooibk-ex.pl
_mprosrv-ex.pl   _progresa-ex.pl  _prooidv-ex.pl
_mprshut-ex.pl   _progres-ex.pl   _proutil-ex.pl

Some of you may note that a few of these are not suid by default but I believe the following Kbase articles make that irrelevant.

Kbase id 12538 says the following:

EXPLANATION:

In order for users to start a multi-user session for Progress, the
following permissions should be maintained.

Progress executables:

The Progress executables should have read, write, and setuid for the user. The group and other should also have execute permissions. The owner of the executables should be root. This is accomplished with the the following steps:

         1) Log in as root or switch user to root.

         2) Move to the DLC directory.

         3) Type the following set of commands:

              chown root _*
              chmod 4775 _*
              chmod 755 _sqlsrv2
              chmod 755 _waitfor

Or even better Kbase id 19341 says the following: When access to the Patch Web Site is available, go to:
http://www.progress.com/patches/
...
copy -rom dlc/* $DLC 9. Change the permissions on the new files:

find $DLC -exec chown root {} \;
chmod 4755 $DLC/bin/_dbutil
chmod 4755 $DLC/bin/_mprosrv
chmod 4755 $DLC/bin/_mprshut
chmod 4755 $DLC/bin/_orasrv
chmod 4755 $DLC/bin/_proapsv
chmod 4755 $DLC/bin/_probrkr
chmod 4755 $DLC/bin/_probuild
chmod 4755 $DLC/bin/_progres
chmod 4755 $DLC/bin/_prooibk
chmod 4755 $DLC/bin/_prooidv
chmod 4755 $DLC/bin/_proutil
chmod 4755 $DLC/bin/_rfutil
chmod 4755 $DLC/bin/_sqlsrv2
chmod 4755 $DLC/bin/orarx
chmod 4755 $DLC/bin/prolib
chmod 4755 $DLC/bin/sqlcpp

Enjoy folks.

-KF

Attachment: working.tar
Description:


  By Date           By Thread  

Current thread:
  • 13 local PoC root exploit programs for Progress Database KF (Jun 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]