FYI,
CERT Advisory CA-2001-01 Interbase Server Contains
Compiled-in Back Door
Account
Original release date: January 10, 2001
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Borland/Inprise Interbase 4.x and 5.x
* Open source Interbase 6.0 and 6.01
* Open source Firebird 0.9-3 and earlier
Overview
Interbase is an open source database package that had
previously been
distributed in a closed source fashion by
Borland/Inprise. Both the
open and closed source verisions of the Interbase server
contain a
compiled-in back door account with a known password.
I. Description
Interbase is an open source database package that is
distributed by
Borland/Inprise at http://www.borland.com/interbase/ and
on
SourceForge. The Firebird Project, an alternate Interbase
package, is
also distributed on SourceForge. The Interbase server for
both
distributions contains a compiled-in back door account
with a fixed,
easily located plaintext password. The password and
account are
contained in source code and binaries previously made
available at the
following sites:
http://www.borland.com/interbase/
http://sourceforge.net/projects/interbase
http://sourceforge.net/projects/firebird
http://firebird.sourceforge.net
http://www.ibphoenix.com
http://www.interbase2000.com
This back door allows any local user or remote user able
to access
port 3050/tcp [gds_db] to manipulate any database object
on the
system. This includes the ability to install trapdoors or
other trojan
horse software in the form of stored procedures. In
addition, if the
database software is running with root privileges, then
any file on
the server's file system can be overwritten, possibly
leading to
execution of arbitrary commands as root.
This vulnerability was not introduced by unauthorized
modifications to
the original vendor's source. It was introduced by
maintainers of the
code within Borland. The back door account password
cannot be changed
using normal operational commands, nor can the account be
deleted from
existing vulnerable servers [see References].
This vulnerability has been assigned the identifier
CAN-2001-0008 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008
The CERT/CC has not received reports of this back door
being exploited
at the current time. We do recommend, however, that all
affected sites
and redistributors of Interbase products or services
follow the
recommendations suggested in Section III, as soon as
possible due to
the seriousness of this issue.
II. Impact
Any local user or remote user able to access port
3050/tcp [gds_db]
can manipulate any database object on the system. This
includes the
ability to install trapdoors or other trojan horse
software in the
form of stored procedures. In addition, if the database
software is
running with root privileges, then any file on the
server's file
system can be overwritten, possibly leading to execution
of arbitrary
commands as root.
III. Solution
Apply a vendor-supplied patch
Both Borland and The Firebird Project on SourceForge have
published
fixes for this problem. Appendix A contains information
provided by
vendors supplying these fixes. We will update the
appendix as we
receive more information. If you do not see your vendor's
name, the
CERT/CC did not hear from that vendor. Please contact
your vendor
directly.
Users who are more comfortable making their own changes
in source code
may find the new code available on SourceForge useful as
well:
http://sourceforge.net/projects/interbase
http://sourceforge.net/projects/firebird
Block access to port 3050/tcp
This will not, however, prevent local users or users
within a
firewall's adminstrative boundary from accessing the back
door
account. In addition, the port the Interbase server
listens on may be
changed dynamically at startup.
Appendix A. Vendor Information
Borland
Please see:
http://www.borland.com/interbase/
IBPhoenix
The Firebird project uncovered serious security problems
with
InterBase. The problems are fixed in Firebird build 0.9.4
for all
platforms. If you are running either InterBase V6 or
Firebird 0.9.3,
you should upgrade to Firebird 0.9.4.
These security holes affect all version of InterBase
shipped since
1994, on all platforms.
For those who can not upgrade, Jim Starkey developed a
patch program
that will correct the more serious problems in any
version of
InterBase on any platform. IBPhoenix chose to release the
program
without charge, given the nature of the problem and our
relationship
to the community.
At the moment, name service is not set up to the machine
that is
