*Advisory Information*

Title: Authentication bypass in Unidata leads to remote command execution
Date published: 2012-06-09 02:52:14 PM
upSploit Ref: UPS-2012-0012

*Advisory Summary*

A vulnerability in Unidata Extended Relational Data Server that allows an
unauthenticated user to run arbitrary commands on the target host with system
or root privileges.

*Vendor*

Rocket Software

*Affected Software*

UniData 7.2.7 - 7.2.12 (latest version) - earlier versions are likely affected as well. Both Windows and Linux variations are affected.

UniData® is an extended relational data server ideal for embedding in a variety of industry-focused solutions.

*Description of Issue*

Unidata Extended Relational Data Server uses UniRPC for communication on port
31438. It has an interface called unidata72, which is used for most of the
client/server tasks. The typical connection consists of:
1. Select the interface (unidata72)
2. Authenticate (code 0x04)
3. Perform operations (including running os comments - code 0x06)

The authentication stage downgrades the user from SYSTEM to the specified OS
user. The authentication, however, is not enforced; therefore, if a user skips
the authentication stage, they can run any of the usual operations at SYSTEM (or
root) access.

One of the operations - opcode 0x06 - runs system commands on the target host
and returns the result. This can be run without authentication, and runs as
SYSTEM (or root). As a result, arbitrary commands can be run against a host.

*PoC*

The checks have been added into Nessus.

*Credits*

Ron Bowes, Tenable Network Security -(rbowes@tenable.com)

*References*

N/A

*Patch/Fix*

This has now been resolved