Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-06-13-1009 Product : Progress Database dbagent Version : Versions 9.1 up to 9.1D06 Vendor : progress.com Class : local Criticality : High (to all Progress users) Operating System(s) : Linux, SunOS, SCO, TRU64, *nix High Level Explanation ************************************************************************ High Level Description : Poor usage of dlopen() causes local root compromise What to do : chmod -s /usr/dlc/bin/_dbagent Technical Details ************************************************************************ Proof Of Concept Status : SNO has exploits for the described situation Low Level Description : Progress applications make the use of several helper .dll and .so binaries. When looking for shared object files _dbagent looks at the argument passed to the command line option "-installdir". No verification is performed upon the object that is located thus local non super users can make themselves root. This vulnerability is a rehash of SRT2003-06-13-0945.txt with the difference being the method by which the application determines where the dlopen() should search. elguapo@rh8 9.1C]$ cat /usr/dlc/version echo PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001 here we are using "-installdir /tmp" as the options to _dbagent snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so") memset(0xbfffece0, '\000', 303) = 0xbfffece0 strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0 dlopen("/tmp/lib/librocket_r.so", 257 This is a fake _init in the fake libjutil.so uid=0(root) gid=500(elguapo) groups=500(elguapo) a valid work around to nearly any Progress security hole is to remove the suid bit from all binaries Vendor Status : Patch will be in version 10.x Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.