SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Firebird Vendors:   firebird.sourceforge.net
(Gentoo Issues Fix) Firebird Database Buffer Overflows Let Local Users Gain Elevated or Root Privileges
SecurityTracker Alert ID:  1010258
SecurityTracker URL:  http://securitytracker.com/id/1010258
CVE Reference:   CVE-2003-0281   (Links to External Site)
Date:  May 23 2004
Impact:   Execution of arbitrary code via local system, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.0, 1.0.2
Description:   Several buffer overflow vulnerabilities were reported in the Firebird database. A local user can obtain elevated privileges, potentially including root privileges.

Dtors Security Research reported that the gds_inet_server, gds_drop, and gds_lock_mgr applications do not perform proper bounds checking on variables returned by the getenv() function. A local user can set the INTERBASE environment variable to a specially crafted value to trigger the overflow and execute arbitrary code.

On FreeBSD, the software is installed by default with set user id (setuid) 'firebird' user privileges, so the code will run with the privileges of the database user account, according to the report. On Linux, the software is reportedly installed with setuid 'root' user privileges, allowing the code to run with root privileges.

On FreeBSD, once the local user has 'firebird' user privileges, the local user can modify the database binaries to include trojan code. Then, when a target user on the system executes the database, the local user can gain the privileges of that target user (including those of root users).

Some demonstration exploit code is provided in the Source Message.

Impact:   A local user can execute arbitrary code with 'firebird' user privileges or 'root' user privileges, depending on the installation.

With 'firebird' user privileges, the local user can modify the database application to obtain elevated privileges when a target user runs the database.

Solution:   Gentoo has released a fix and indicates that all users should upgrade to the latest version of Firebird:

# emerge sync

# emerge -pv ">=dev-db/firebird-1.5"
# emerge ">=dev-db/firebird-1.5"

Vendor URL:  firebird.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
May 10 2003 Firebird Database Buffer Overflows Let Local Users Gain Elevated or Root Privileges



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200405-18 ] Buffer Overflow in Firebird


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200405-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Buffer Overflow in Firebird
      Date: May 23, 2004
      Bugs: #20837
        ID: 200405-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow via environmental variables in Firebird may allow a
local user to manipulate or destroy local databases and trojan the
Firebird binaries.

Background
==========

Firebird is an open source relational database that runs on Linux,
Windows, and various UNIX systems.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /   Vulnerable   /                    Unaffected
    -------------------------------------------------------------------
  1  dev-db/firebird         < 1.5                              >= 1.5

Description
===========

A buffer overflow exists in three Firebird binaries (gds_inet_server,
gds_lock_mgr, and gds_drop) that is exploitable by setting a large
value to the INTERBASE environment variable.

Impact
======

An attacker could control program execution, allowing privilege
escalation to the UID of Firebird, full access to Firebird databases,
and trojaning the Firebird binaries. An attacker could use this to
compromise other user or root accounts.

Workaround
==========

There is no known workaround.

Resolution
==========

All users should upgrade to the latest version of Firebird:

    # emerge sync

    # emerge -pv ">=dev-db/firebird-1.5"
    # emerge ">=dev-db/firebird-1.5"

References
==========

  [ 1 ] Bugtraq Security Announcement
        http://securityfocus.com/bid/7546/info/
  [ 2 ] Sourceforge BugTracker Announcement

http://sourceforge.net/tracker/?group_id=9028&atid=109028&func=detail&aid=739480

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

     http://security.gentoo.org/glsa/glsa-200405-18.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAsJVJvcL1obalX08RAj+PAKCb9Fd0AtIgaUbIj171XyOS2C1KrwCgli71
8qHVQCl6dlag+WIA4iPZR7w=
=zCcg
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC