exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

versantcmd.txt

versantcmd.txt
Posted Mar 4, 2008
Authored by Luigi Auriemma | Site aluigi.org

Vershant Object Database versions 7.0.1.3 and below suffer from an arbitrary command execution vulnerability.

tags | advisory, arbitrary
SHA-256 | 748019d2e76a3f614a67923ad4a5aaf102a202ebf5cbd5fe279c605ff8a61907

versantcmd.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Versant Object Database
http://www.versant.com/en_US/products/objectdatabase
Versions: <= 7.0.1.3
Platforms: Windows, Solaris, HP-UX, AIX, Linux
Bug: arbitrary commands execution
Exploitation: remote
Date: 04 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
"The Versant Object Database is the market leader in object databases.
Using Versant Object Database for data storage brings powerful
advantages to applications that use complex C++ and Java object models,
have high concurrency requirements, and large data sets. The Versant
Object Database is designed to handle the navigational access, seamless
data distribution, and enterprise scale often required by these
applications."

The Versand server is used also in other stand-alone products like, for
example, Borland CaliberRM which naturally are vulnerables too.


#######################################################################

======
2) Bug
======


VersantD is the service used for managing the Versant database and by
default listens on port 5019 with the subsequent assigning of a new
port after a client connects to it, so the client connects to port 5019
where is handled by the ss.exe process and after the initial exchange
of data the connection continues on the new port.

The first incredible thing which happens when a client connects is that
the full paths which will be used by the server to launch the needed
programs or locate the database files are passed directly by the same
client.

That means for example that if a client passes c:\folder in the
VERSANT_ROOT field, the server will run (in case the "-utility" command
is used) "c:\folder\bin\obe.exe -version 7.0.1 -dbtype + -nettype 2
-arch 11 -utility -soc 220 o_oscp" through the vs_prgExecAsync
function.

Then using a custom command value (at the place of the "-utility"
showed before) beginning with the "..\" pattern for removing the
"\bin\" folder added by the server forces it to execute not only a
custom executable decided by the attacker but also any additional
argument too.
Naturally is also possible to execute remote commands not available on
the server through, for example, the Windows shares simply using
\\myhost\myfolder as path.

So, resuming, through the Versant server an attacker can execute any
local or remote custom command.

The following is the full command-line executed through a custom
command value (in my proof-of-concept there is the explanation of all
the fields) with the parameters supplied by the client in upper case:

"VERSANT_ROOT\bin\OUR_COMMAND OUR_ARGUMENTS -noprint -username
VERSANT_USER -release VERSANT_REL -rootpath VERSANT_ROOT -dbpath
VERSANT_DB -dbidpath VERSANT_DBID -dbidnode VERSANT_DBID_NODE
DATABASE_NAME -posterrstk"

It's enough to use a line-feed at the end of our arguments for dropping
all the useless stuff which starts from "-noprint".

Note: all the tests have been performed on the Windows version of the
server so the exploitation could differ a bit on the other supported
platforms.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/versantcmd.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close