what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

versantcmd.txt

versantcmd.txt
Posted Mar 4, 2008
Authored by Luigi Auriemma | Site aluigi.org

Vershant Object Database versions 7.0.1.3 and below suffer from an arbitrary command execution vulnerability.

tags | advisory, arbitrary
SHA-256 | 748019d2e76a3f614a67923ad4a5aaf102a202ebf5cbd5fe279c605ff8a61907

versantcmd.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Versant Object Database
http://www.versant.com/en_US/products/objectdatabase
Versions: <= 7.0.1.3
Platforms: Windows, Solaris, HP-UX, AIX, Linux
Bug: arbitrary commands execution
Exploitation: remote
Date: 04 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
"The Versant Object Database is the market leader in object databases.
Using Versant Object Database for data storage brings powerful
advantages to applications that use complex C++ and Java object models,
have high concurrency requirements, and large data sets. The Versant
Object Database is designed to handle the navigational access, seamless
data distribution, and enterprise scale often required by these
applications."

The Versand server is used also in other stand-alone products like, for
example, Borland CaliberRM which naturally are vulnerables too.


#######################################################################

======
2) Bug
======


VersantD is the service used for managing the Versant database and by
default listens on port 5019 with the subsequent assigning of a new
port after a client connects to it, so the client connects to port 5019
where is handled by the ss.exe process and after the initial exchange
of data the connection continues on the new port.

The first incredible thing which happens when a client connects is that
the full paths which will be used by the server to launch the needed
programs or locate the database files are passed directly by the same
client.

That means for example that if a client passes c:\folder in the
VERSANT_ROOT field, the server will run (in case the "-utility" command
is used) "c:\folder\bin\obe.exe -version 7.0.1 -dbtype + -nettype 2
-arch 11 -utility -soc 220 o_oscp" through the vs_prgExecAsync
function.

Then using a custom command value (at the place of the "-utility"
showed before) beginning with the "..\" pattern for removing the
"\bin\" folder added by the server forces it to execute not only a
custom executable decided by the attacker but also any additional
argument too.
Naturally is also possible to execute remote commands not available on
the server through, for example, the Windows shares simply using
\\myhost\myfolder as path.

So, resuming, through the Versant server an attacker can execute any
local or remote custom command.

The following is the full command-line executed through a custom
command value (in my proof-of-concept there is the explanation of all
the fields) with the parameters supplied by the client in upper case:

"VERSANT_ROOT\bin\OUR_COMMAND OUR_ARGUMENTS -noprint -username
VERSANT_USER -release VERSANT_REL -rootpath VERSANT_ROOT -dbpath
VERSANT_DB -dbidpath VERSANT_DBID -dbidnode VERSANT_DBID_NODE
DATABASE_NAME -posterrstk"

It's enough to use a line-feed at the end of our arguments for dropping
all the useless stuff which starts from "-noprint".

Note: all the tests have been performed on the Windows version of the
server so the exploitation could differ a bit on the other supported
platforms.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/versantcmd.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close