Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server does not validate correctness of user/password pair provided in EXECUTE STATEMENT operator [CORE5082] #5368

Closed
firebird-issue-importer opened this issue Jan 24, 2016 · 13 comments

Comments

@firebird-issue-importer

Submitted by: @AlexPeshkoff

Attachments:
c5082-pipe.PNG
c5082-no_pipe.png

Since FB3 regular password validation takes place in remote listener (network server). This makes possible to execute arbitrary statement as any user providing dummy password.

Commits: b0edf78 eacbf41 FirebirdSQL/fbt-repository@62b1649 FirebirdSQL/fbt-repository@1a3e57f

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 24, 2016

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 24, 2016

Commented by: @AlexPeshkoff

Password validation code (invokes security plugins) added to external engines connector. Validation is performed only for server connections, in embedded one can still use any user name (like elsewhere for embedded).

Simple way to check:
execute block returns (x varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'name' password 'pass' into x; suspend; end^

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 24, 2016

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 RC2 [ 10048 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @pavel-zotov

Try following as SYSDBA (with default password):

set list on;
set term ^;
execute block returns \(whoami varchar\(32\)\) as 
begin 
    execute statement 'select current\_user from rdb$database' as user 'non\_existent' password 'qwecXzasd' into whoami; 
    suspend; 
end
^

execute block returns \(whoami varchar\(32\)\) as 
begin 
    execute statement 'select current\_user from rdb$database' as user 'non\_existent' password '' into whoami; 
    suspend; 
end
^

execute block returns \(whoami varchar\(32\)\) as 
begin 
    execute statement 'select current\_user from rdb$database' as user 'SYSDBA' password 'fullyWrong' into whoami; 
    suspend; 
end
^ 

execute block returns \(whoami varchar\(32\)\) as 
begin 
    execute statement 'select current\_user from rdb$database' as user 'SYSDBA' password '' into whoami; 
    suspend; 
end
^ 

execute block returns \(whoami varchar\(32\)\) as 
begin 
    execute statement 'select current\_user from rdb$database' as user 'SYSDBA' password ' ' into whoami;  \-\- password = single space char\.
    suspend; 
end
^ 

execute block returns \(whoami varchar\(32\)\) as 
begin 
    execute statement 'select current\_user from rdb$database' as user 'SYSDBA' password '  ' into whoami;   \-\- password = two spaces\.
    suspend; 
end
^ 

===

On build 322289 output will be:

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
After line 2 in file c5082-1.sql --- OK, this is for "user 'non_existent' password 'qwecXzasd'"

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
After line 8 in file c5082-1.sql-- OK, this is for "user 'non_existent' password ''"

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
After line 15 in file c5082-1.sql -- OK, this is for "user 'SYSDBA' password 'fullyWrong' "

WHOAMI SYSDBA

WHOAMI SYSDBA

WHOAMI SYSDBA

Why SYSDBA can still do EB with password that is empty or contains only of ascii_char(32) symbols ?
PS. Checked on both Legacy & Srp.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @dyemanov

Do you have ISC_PASSWORD envvar defined? Looks like empty password is treated as missing password and the envvar is picked instead.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @pavel-zotov

Yes, isc_* variables DID exist. But when I've removed them, result is the same:

C:\>set isc_user=

C:\>set isc_password=

C:\>set isc_user
Переменная среды isc_user не определена

C:\>set isc_password=

C:\>cd C:\MIX\firebird\QA\fbt-repo\tmp\

C:\MIX\firebird\QA\fbt-repo\tmp>isql /:e30 -i c5082-1.sql -user sysdba -pas masterke

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
After line 2 in file c5082-1.sql

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
After line 8 in file c5082-1.sql

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
After line 15 in file c5082-1.sql

WHOAMI SYSDBA

WHOAMI SYSDBA

WHOAMI SYSDBA

C:\MIX\firebird\QA\fbt-repo\tmp>

(this was done in cmd.exe)

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @AlexPeshkoff

Can not reproduce:

SQL> execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSDBA' password ' ' into whoami; suspend; end^

WHOAMI

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
SQL>

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @pavel-zotov

C:\MIX\firebird\QA\fbt-repo\tmp>set isc_user
Переменная среды isc_user не определена

C:\MIX\firebird\QA\fbt-repo\tmp>set isc_password
Переменная среды isc_password не определена

Case-1. EMPTY password
#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠

C:\MIX\firebird\QA\fbt-repo\tmp>echo execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$dat
abase' as user 'SYSDBA' password '' into whoami; suspend; end#⁠ | isql /:e30 -user sysdba -pas masterke -term #⁠

WHOAMI

SYSDBA

Case-2. Password is single space character
#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠

C:\MIX\firebird\QA\fbt-repo\tmp>echo execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$dat
abase' as user 'SYSDBA' password ' ' into whoami; suspend; end#⁠ | isql /:e30 -user sysdba -pas masterke -term #⁠

WHOAMI

SYSDBA

Case-3. Password is single TAB character
#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠#⁠

C:\MIX\firebird\QA\fbt-repo\tmp>echo execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$dat
abase' as user 'SYSDBA' password ' ' into whoami; suspend; end#⁠ | isql /:e30 -user sysdba -pas masterke -term #⁠

WHOAMI

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

ISQL Version: WI-V3.0.0.32289 Firebird 3.0 Release Candidate 2
Server version:
WI-V3.0.0.32289 Firebird 3.0 Release Candidate 2
WI-V3.0.0.32289 Firebird 3.0 Release Candidate 2/tcp (csprog)/P13
WI-V3.0.0.32289 Firebird 3.0 Release Candidate 2/tcp (csprog)/P13

The same without PIPE mechanism:

C:\MIX\firebird\QA\fbt-repo\tmp>isql /:e30 -user sysdba -pas masterke
Database: /:e30, User: SYSDBA
SQL> set term ^; execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSD
BA' password '' into whoami; suspend; end^ set term ;^

WHOAMI

SYSDBA

SQL> set term ^; execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSD
BA' password ' ' into whoami; suspend; end^ set term ;^

WHOAMI

SYSDBA

SQL> set term ^; execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSD
BA' password ' ' into whoami; suspend; end^ set term ;^

WHOAMI

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

I've attached screenshots.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Modified by: @pavel-zotov

Attachment: c5082-pipe.PNG [ 12882 ]

Attachment: c5082-no_pipe.png [ 12883 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @AlexPeshkoff

Strange behavior happens when you try to use empty password with user with same name as was used to connect to server. In that case EDS engine is using existing connection and making no new connection does not perform password validation. I'm not sure is it correct to treat a few spaces as empty password, but that's definitely out of scope of this ticket.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @pavel-zotov

> when you try to use empty password with user with same name as was used to connect to server
> In that case EDS engine is using existing connection and making no new connection

So, this is expected behavior, right ?

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Commented by: @AlexPeshkoff

I'd say that's this is acceptable for zero-length password but rather strange for a password containing a few spaces.
What I can say for sure - this is not FB3 regression, 2.5 behaves the same way.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jan 25, 2016

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants