####################################################################### Luigi Auriemma Application: Versant Object Database http://www.versant.com/en_US/products/objectdatabase Versions: <= 7.0.1.3 Platforms: Windows, Solaris, HP-UX, AIX, Linux Bug: arbitrary commands execution Exploitation: remote Date: 04 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "The Versant Object Database is the market leader in object databases. Using Versant Object Database for data storage brings powerful advantages to applications that use complex C++ and Java object models, have high concurrency requirements, and large data sets. The Versant Object Database is designed to handle the navigational access, seamless data distribution, and enterprise scale often required by these applications." The Versand server is used also in other stand-alone products like, for example, Borland CaliberRM which naturally are vulnerables too. ####################################################################### ====== 2) Bug ====== VersantD is the service used for managing the Versant database and by default listens on port 5019 with the subsequent assigning of a new port after a client connects to it, so the client connects to port 5019 where is handled by the ss.exe process and after the initial exchange of data the connection continues on the new port. The first incredible thing which happens when a client connects is that the full paths which will be used by the server to launch the needed programs or locate the database files are passed directly by the same client. That means for example that if a client passes c:\folder in the VERSANT_ROOT field, the server will run (in case the "-utility" command is used) "c:\folder\bin\obe.exe -version 7.0.1 -dbtype + -nettype 2 -arch 11 -utility -soc 220 o_oscp" through the vs_prgExecAsync function. Then using a custom command value (at the place of the "-utility" showed before) beginning with the "..\" pattern for removing the "\bin\" folder added by the server forces it to execute not only a custom executable decided by the attacker but also any additional argument too. Naturally is also possible to execute remote commands not available on the server through, for example, the Windows shares simply using \\myhost\myfolder as path. So, resuming, through the Versant server an attacker can execute any local or remote custom command. The following is the full command-line executed through a custom command value (in my proof-of-concept there is the explanation of all the fields) with the parameters supplied by the client in upper case: "VERSANT_ROOT\bin\OUR_COMMAND OUR_ARGUMENTS -noprint -username VERSANT_USER -release VERSANT_REL -rootpath VERSANT_ROOT -dbpath VERSANT_DB -dbidpath VERSANT_DBID -dbidnode VERSANT_DBID_NODE DATABASE_NAME -posterrstk" It's enough to use a line-feed at the end of our arguments for dropping all the useless stuff which starts from "-noprint". Note: all the tests have been performed on the Windows version of the server so the exploitation could differ a bit on the other supported platforms. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/versantcmd.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################