Firebird Remote Memory Corruption

Firebird Remote Memory Corruption


Core Security Technologies - CoreLabs Advisory

http://www.coresecurity.com/corelabs/

Advisory Information

Title: Firebird Remote Memory Corruption

Advisory ID:  CORE-2007-1219

Advisory URL: http://www.coresecurity.com/?action=item&id=2095

Date published: 2008-01-28

Date of last update: 2008-01-24

Vendors contacted: Firebird SQL

Release mode: Coordinated Release

Vulnerability Information

Class: Memory corruption

Remotely Exploitable: Yes

Locally Exploitable: Yes

Bugtraq ID: 27403

CVE Name: CVE-2008-0387

Vulnerability Description

Firebird [1][2] is a relational database that runs on Linux, Windows, and a variety of Unix platforms. The Firebird Project is a commercially independent project of C and C++ programmers, technical advisors and supporters developing and enhancing a multi-platform relational database management system based on the source code released by Inprise Corp (now known as Borland Software Corp) on 25 July, 2000.

The Firebird database manager contains an Integer Overflow in the processing of certain tags on the XDR protocol used for communication with the server. This led the server to corrupt the process memory and crash. Repeated attempts are followed by a crash of the process in charge of restarting the database server. This may also grant attackers remote execution of arbitrary code on servers running Firebird.

Vulnerable packages

  • Firebird SQL 1.0.3 and before.
  • Firebird SQL 1.5.5 and before.
  • Firebird SQL 2.0.3 and before.
  • Firebird SQL 2.1.0 Beta 2 and before.

Non-vulnerable packages

  • Firebird SQL 1.5.6 (to be released)
  • Firebird SQL 2.0.4 (to be released)
  • Firebird SQL 2.1.0 RC1

Vendor Information, Solutions and Workarounds

Firebird v2.1.0 RC1 fixes this vulnerability and is available for download at http://firebirdsql.org/index.php?op=files&id=fb210_RC1

The fix will also be included in versions v1.5.6 and v2.0.4.  Version 2.0.4 will be released in February. The version 1.5.6 release is expected later this year.

The issue is registered [3] in Firebird Tracker as CORE-1681.

Credits

This vulnerability was discovered and researched by Damian Frizza with assistance of Alfredo Ortega from Core Security Technologies.

Technical Description / Proof of Concept Code

The memory corruption happens when the parser (src/remote/protocol.cpp) receives any of the following operations with invalid data:

op_receive

op_start

op_start_and_receive

op_send

op_start_and_send

op_start_send_and_receive

The parser fails to properly sanitize certain variables before use. We can see that in the file src/remote/protocol.cpp there are the following assignments directly from the packet buffer to the data structure, without any validation (The MAP macro doesn’t have any range checking):

src/remote/protocol.cpp:417

                               MAP(xdr_short, reinterpret_cast(data->p_data_request));
                               MAP(xdr_short, reinterpret_cast(data->p_data_incarnation));
                               MAP(xdr_short, reinterpret_cast(data->p_data_transaction));
                              MAP(xdr_short, reinterpret_cast(data->p_data_message_number));
                                /* Changes to this op's protocol must mirror in xdr_protocol_overhead */
                                return xdr_request(xdrs, data->p_data_request,
                                                data->p_data_message_number,
                                                data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);

And in the function xdr_request(), the variable data->p_data_request (as request_id) is used to index an array:

... rrq* request = (rrq*) port->port_objects[request_id]; ...

Corrupting memory structures and causing a DoS of the server, with possible execution of code. The same happens with the variable data->p_data_message_number.

The following python PoC causes a remote Denial of service and demonstrates the bug:

##Firebird DoS
##Damian Frizza – Core Security Exploit Writers Team
##tested against Firebird-2.0.3.12981-1-Win32.exe and
##Firebird-2.1.0.16780_0_Win32.exe

##fbserver.exe 2.0.3
##005637D0   8B4424 08        MOV EAX,DWORD PTR SS:[ESP+8]
##005637D4   0FB700           MOVZX EAX,WORD PTR DS:[EAX]
##005637D7   83EC 50          SUB ESP,50
##005637DA   56               PUSH ESI
##005637DB   8BF1             MOV ESI,ECX
##005637DD   8B8E AC000000    MOV ECX,DWORD PTR DS:[ESI+AC]
##005637E3   3B41 08          CMP EAX,DWORD PTR DS:[ECX+8]     

Report Timeline

  • 2008-01-04: Initial notification sent by CoreLabs to Firebird SQL development team.
  • 2008-01-08: Notification acknowledged by Firebird SQL development team.
  • 2008-01-08: Technical details sent by Core to Firebird SQL dev. team.
  • 2008-01-10: Firebird SQL dev. team notifies Core that a fix has been produced, and will be released in Firebird versions v1.5.6, v2.0.4 and v2.1.0 RC1.

  • 2008-01-10: CoreLabs acknowledges information about fixes and requests date of the v2.1.0 RC1 release to the Firebird dev. team.
  • 2008-01-15: Firebird dev. team confirms vendor information and dates of fixed versions.

References

[1] http://sourceforge.net/projects/firebird/

[2] http://www.firebirdsql.org/

[3] http://tracker.firebirdsql.org/browse/CORE-1681

About Corelabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies.

We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at http://www.coresecurity.com/corelabs/

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

DISCLAIMER

The contents of this advisory are copyright (c) 2008 CORE Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

PGP/GPG KEYS

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Request Info

Research Blog