Hi to all!
In the latest Firebird release (1.5.3) various security problems has
been fixed. Attached goes an advisory about 2 of these.--- Joxean Koret
---------------------------------------------------------------------------
Buffer Overflow and Installation Script Error in Firebird 1.5.3
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2005-02-18
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Product: Firebird
Vulnerable Version: 1.5.2.4731
Description:
Firebird is a relational database offering many ANSI SQL-99 features that runs
on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent
concurrency, high performance, and powerful language support for stored
procedures and triggers. It has been used in production systems, under a
variety
of names since 1981.
Web : http://firebird.sourceforge.net
---------------------------------------------------------------------------
Vulnerability List:
~~~~~~~~~~~~~~~~~~~
A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily
B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries
Vulnerabilities:
~~~~~~~~~~~~~~~~
A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily
- The installation script of Firebird 1.5.2 makes the binaries fb_inet_server
and fbserver suid firebird but this is unnecesary. If you takes a look to the
install script "firebird1.5.2.XXXX/scripts/postinstall.sh" you will see the
following lines:
(...)
# SUID is still needed for group direct access. General users
# cannot run though.
for i in fb_lock_mgr gds_drop fb_inet_server
do
if [ -f $i ]
then
chmod ug=rx,o= $i
chmod ug+s $i
fi
done
(...)
but, as the author says the fb_inet_server (at least) doesn't need to be suid
firebird.
The following is a fragment of Alex Peshkov (a Firebird developer) response
about
this problem:
They need not and should not be set*id. And in standard precompiled
binaries fbserver is not setuid. But for unknown to me reasons
fb_inet_server is made setuid 'firebird' by install script (Debian guys
fixed it, I think). I've noticed it, unfortunately, after release of
1.5.2, but definitely will fix it in future releases. Except security
vulnerability this brings additional problem when one wants to change
fb_inet_server run-user - changing only xinetd.d entry is not enough.
- Debian distributions are not vulnerable to this problem. As the Alex Peshkov
says
Debian people has been fixed it.
B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries
- The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable
to buffer overflows. If an string of more than 150 characters is passed to the
'-p' parameter of any of these binaries the program will crash with a
"Segmentation Fault" message.
- The following is a test of the vulnerability:
/usr/lib/firebird2/bin$ ls
fb_lock_print fbguard fbmgr fbmgr.bin fbserver gsec
/usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print "a"x155;'`1234
Segmentation fault
The program dies abruptly. The bytes passeds from position 155 to 159
overwrites the return address:
/usr/lib/firebird2/bin$ gdb ./fbserver
GNU gdb 6.3
(...)
(gdb) run -p `perl -e 'print "a"x155;'`4321
Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print
"a"x155;'`4321
(...)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210892160 (LWP 25358)]
0x31323334 in ?? ()
We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34,
the numbers 4 3 2 1 in reverse order.
(gdb) where
#0 0x31323334 in ?? ()
#1 0x08233496 in ?? ()
#2 0x00000000 in ?? ()
#3 0xbffff9b0 in ?? ()
#4 0x00006161 in ?? ()
#5 0x00000000 in ?? ()
#6 0x00000000 in ?? ()
#7 0x00000000 in ?? ()
#8 0x00000000 in ?? ()
#9 0x00000000 in ?? ()
#10 0xbffff9b0 in ?? ()
#11 0x00000000 in ?? ()
#12 0x00000000 in ?? ()
#13 0x00000000 in ?? ()
#14 0xbffffb04 in ?? ()
#15 0x0804e370 in ?? ()
#16 0x00000000 in ?? ()
#17 0xbffffd50 in ?? ()
#18 0x00000000 in ?? ()
#19 0x00000000 in ?? ()
#20 0x00000000 in ?? ()
#21 0x00000000 in ?? ()
#22 0x00000000 in ?? ()
Notes:
~~~~~~
- Various other problems, not discovered by me, has been fixed in the 1.5.3
version. I encourage to upgrade to the newest version as soon as possible.
Patches for the 1.5.2 version:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The following are patches to solve ONLY the problems that I have been found.
Patch for installation script:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------START OF THE PATCH----------------------------
--- scripts/postinstall.sh 2005-03-25 14:24:40.091819144 +0100
+++ scripts/postinstall.sh.corrected 2005-03-25 14:08:47.777592912 +0100
@@ -401,7 +401,7 @@
# SUID is still needed for group direct access. General users
# cannot run though.
- for i in fb_lock_mgr gds_drop fb_inet_server
+ for i in fb_lock_mgr gds_drop
do
if [ -f $i ]
then
@@ -508,7 +508,7 @@
# SUID is still needed for group direct access. General users
# cannot run though.
- for i in fb_lock_mgr gds_drop fb_inet_server
+ for i in fb_lock_mgr gds_drop
do
if [ -f $i ]
then
---------------------END OF THE PATCH------------------------------
Patch for fb_inet_server and/or fbserver buffer overflow:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------START OF THE PATCH----------------------------
--- src/remote/inet_server.cpp 2004-09-29 12:03:39.000000000 +0200
+++ src/remote/inet_server.cpp.corrected 2005-03-25 14:17:59.698688152
+0100
@@ -32,7 +32,7 @@
*
*/
/*
-$Id: inet_server.cpp,v 1.26.2.2 2004/09/29 10:03:39 paul_reeves Exp $
+$Id: inet_server.cpp,v 1.26.2.3 2005/03/23 12:59:25 alexpeshkoff Exp $
*/
#include "firebird.h"
#include "../jrd/ib_stdio.h"
@@ -277,7 +277,10 @@
break;
case 'P':
- sprintf(protocol, "/%s", *argv++);
+ protocol[0] = '/';
+ protocol[1] = 0;
+ strncat(protocol, *argv++,
+ sizeof(protocol) -
strlen(protocol) - 1);
break;
case 'H':
@@ -407,12 +410,9 @@
/* before starting the superserver stuff change directory to tmp */
if (CHANGE_DIR(TEMP_DIR)) {
- char err_buf[1024];
-
/* error on changing the directory */
- sprintf(err_buf, "Could not change directory to %s due to errno
%d",
+ gds__log("Could not change directory to %s due to errno %d",
TEMP_DIR, errno);
- gds__log(err_buf);
}
/* Server tries to attash to security.fdb to make sure everything is OK
---------------------END OF THE PATCH------------------------------
The fix:
~~~~~~~~
The problems are fixed, in the current 1.5.3 version of the Firebird binary
distribution.
Thanks
~~~~~~
Thanks to Alex Peshkov, he where very kind and professional.
Timeline:
~~~~~~~~~
2005-02-18: Initial contact.
2005-02-11: Contact with Alex Peshkov.
2005-03-25: BOF (and various others) fixed in CVS.
2005-03-25: Wait for ~2 months after the 1.5.3 release.
2006-01-25: Firebird 1.5.3 released.
2006-03-12: Public disclosure.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
signature.asc
Description: Esta parte del mensaje está firmada digitalmente
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
