Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Stack Buffer Overflow in Firebird SQL Server [CORE4058] #4386

Closed
firebird-issue-importer opened this issue Mar 5, 2013 · 13 comments
Closed

Comments

@firebird-issue-importer
Copy link

@firebird-issue-importer firebird-issue-importer commented Mar 5, 2013

Submitted by: Spencer McIntyre (zerosteiner)

Attachments:
bof.py

The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server.

Proof of Concept and technical details:
https://gist.github.com/zeroSteiner/85daef257831d904479c

Commits: 63ad0f2 af11f55

====== Test Details ======

Bug was fixed on 2.5.5.26952.
On 2.5.2.26540, 2.5.3.26780 and 2.5.4.26856 following lines appear in firebird.log after execution of this test:

   \*\*\* DUMP \*\*\*
   Tag=\-1 Offset=18 Length=34 Eof=0
   Clump 5 at offset 0: AAAABBBBCCCCDDDD
   Fatal exception during clumplet dump: Invalid clumplet buffer structure: buffer end before end of clumplet \- clumplet too long
   Plain dump starting with offset 18: <05\><15\>localhost\.loca

===

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Modified by: @dyemanov

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Commented by: @AlexPeshkoff

Attachned python script to reproduce

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Modified by: @AlexPeshkoff

Attachment: http://bof.py [ 12292 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Commented by: @AlexPeshkoff

A reason is a bug when extracting a group number from the CNCT info, sent by client. Size of received data was not checked. Bug exists from the first most days of firebird.

The main irony here is that this group info was never used later in the code, and therefore was cleaned up in the trunk. I.e. trunk does not require fixing.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.5.3 [ 10461 ]

Fix Version: 2.1.6 [ 10460 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Commented by: Spencer McIntyre (zerosteiner)

I just tested against the latest build for 2.5.3 Windows 32-bit. Specifically I tested the classic, super and superclassic versions from this http://web.firebirdsql.org/download/snapshot_builds/win/2.5/Firebird-2.5.3.26618-0_Win32.zip and they were still vulnerable except for the classic version.

Could you please provide me a revision number for when this issue was fixed?

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 6, 2013

Commented by: Spencer McIntyre (zerosteiner)

I just heard back from MITRE who has reserved CVE-2013-2492 to identify this vulnerability.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 7, 2013

Commented by: @dyemanov

The fixed snapshot builds will be available today, build numbers are 26623 for v2.5 and 18514 for v2.1.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 7, 2013

Modified by: @dyemanov

security: Developers [ 10012 ] =>

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 17, 2013

Modified by: @dyemanov

Fix Version: 2.1.5 Update 1 [ 10522 ]

Fix Version: 2.5.2 Update 1 [ 10521 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Apr 23, 2013

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jan 18, 2016

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Aug 21, 2016

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test => Done successfully

Test Details: Bug was fixed on 2.5.5.26952.
On 2.5.2.26540, 2.5.3.26780 and 2.5.4.26856 following lines appear in firebird.log after execution of this test:

   \*\*\* DUMP \*\*\*
   Tag=\-1 Offset=18 Length=34 Eof=0
   Clump 5 at offset 0: AAAABBBBCCCCDDDD
   Fatal exception during clumplet dump: Invalid clumplet buffer structure: buffer end before end of clumplet \- clumplet too long
   Plain dump starting with offset 18: <05\><15\>localhost\.loca

===

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants