SecurityReason - Arbitrary commands execution in Versant Object Database 7.0.1.3

Advisory Text :

#######################################################################

Luigi Auriemma

Application: Versant Object Database
http://www.versant.com/en_US/products/objectdatabase
Versions: <= 7.0.1.3
Platforms: Windows, Solaris, HP-UX, AIX, Linux
Bug: arbitrary commands execution
Exploitation: remote
Date: 04 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From vendor's website:
"The Versant Object Database is the market leader in object databases.
Using Versant Object Database for data storage brings powerful
advantages to applications that use complex C++ and Java object models,
have high concurrency requirements, and large data sets. The Versant
Object Database is designed to handle the navigational access, seamless
data distribution, and enterprise scale often required by these
applications."

The Versand server is used also in other stand-alone products like, for
example, Borland CaliberRM which naturally are vulnerables too.

#######################################################################

======
2) Bug
======

VersantD is the service used for managing the Versant database and by
default listens on port 5019 with the subsequent assigning of a new
port after a client connects to it, so the client connects to port 5019
where is handled by the ss.exe process and after the initial exchange
of data the connection continues on the new port.

The first incredible thing which happens when a client connects is that
the full paths which will be used by the server to launch the needed
programs or locate the database files are passed directly by the same
client.

That means for example that if a client passes c:folder in the
VERSANT_ROOT field, the server will run (in case the "-utility" command
is used) "c:folderbinobe.exe -version 7.0.1 -dbtype + -nettype 2
-arch 11 -utility -soc 220 o_oscp" through the vs_prgExecAsync
function.

Then using a custom command value (at the place of the "-utility"
showed before) beginning with the ".." pattern for removing the
"bin" folder added by the server forces it to execute not only a
custom executable decided by the attacker but also any additional
argument too.
Naturally is also possible to execute remote commands not available on
the server through, for example, the Windows shares simply using
\myhostmyfolder as path.

So, resuming, through the Versant server an attacker can execute any
local or remote custom command.

The following is the full command-line executed through a custom
command value (in my proof-of-concept there is the explanation of all
the fields) with the parameters supplied by the client in upper case:

"VERSANT_ROOTbinOUR_COMMAND OUR_ARGUMENTS -noprint -username
VERSANT_USER -release VERSANT_REL -rootpath VERSANT_ROOT -dbpath
VERSANT_DB -dbidpath VERSANT_DBID -dbidnode VERSANT_DBID_NODE
DATABASE_NAME -posterrstk"

It's enough to use a line-feed at the end of our arguments for dropping
all the useless stuff which starts from "-noprint".

Note: all the tests have been performed on the Windows version of the
server so the exploitation could differ a bit on the other supported
platforms.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/versantcmd.zip

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org