Over the last couple years I have released several advisories on the security of the Progress database http://www.progress.com . Several versions of progres have since been retired and thus you should not be using them. Attached is a package containing 13 exploits to obtain root from Progress databases of various patch dates and release versions. Most of these exploits can be easily modified to work on all versions (from 63E) up and including the latest version 91d (like 83dbutils/83_proutil). There about 4 more exploits I need to code but they are a bit more difficult to exploit because they involve malloc() or free(). All of these issues should have already been addressed by progress patches, but be careful with which patch you apply... old Progerss patches are like rolling dice. These exploits will be available shortly at http://www.snosoft.com/research Here is a directory listing of the attached tar file to give you an idea of which programs are easily exploitable. [root@localhost working]# ls _dbutil-ex.pl _proapsv-ex.pl _progres_fileoverwrite.sh _rfutil-ex.pl _mprosrva-ex.pl _probuild-ex.pl _prooibk-ex.pl _mprosrv-ex.pl _progresa-ex.pl _prooidv-ex.pl _mprshut-ex.pl _progres-ex.pl _proutil-ex.pl Some of you may note that a few of these are not suid by default but I believe the following Kbase articles make that irrelevant. Kbase id 12538 says the following: EXPLANATION: In order for users to start a multi-user session for Progress, the following permissions should be maintained. Progress executables: The Progress executables should have read, write, and setuid for the user. The group and other should also have execute permissions. The owner of the executables should be root. This is accomplished with the the following steps: 1) Log in as root or switch user to root. 2) Move to the DLC directory. 3) Type the following set of commands: chown root _* chmod 4775 _* chmod 755 _sqlsrv2 chmod 755 _waitfor Or even better Kbase id 19341 says the following: When access to the Patch Web Site is available, go to: http://www.progress.com/patches/ ... copy -rom dlc/* $DLC 9. Change the permissions on the new files: find $DLC -exec chown root {} \; chmod 4755 $DLC/bin/_dbutil chmod 4755 $DLC/bin/_mprosrv chmod 4755 $DLC/bin/_mprshut chmod 4755 $DLC/bin/_orasrv chmod 4755 $DLC/bin/_proapsv chmod 4755 $DLC/bin/_probrkr chmod 4755 $DLC/bin/_probuild chmod 4755 $DLC/bin/_progres chmod 4755 $DLC/bin/_prooibk chmod 4755 $DLC/bin/_prooidv chmod 4755 $DLC/bin/_proutil chmod 4755 $DLC/bin/_rfutil chmod 4755 $DLC/bin/_sqlsrv2 chmod 4755 $DLC/bin/orarx chmod 4755 $DLC/bin/prolib chmod 4755 $DLC/bin/sqlcpp Enjoy folks. -KF
Attachment:
working.tar
Description: Binary data
