TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... At the 2007 Black Hat Briefings in Las Vegas, TippingPoint DVLabs had five speakers presenting on a variety of topics.

Firebird SQL fbserver 'connect' Buffer Overflow Vulnerability

TPTI-07-11: June 11th, 2007

CVE ID

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5067. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Firebird SQL. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the database service fbserver.exe, which binds to TCP port 3050. The service receives socket data in the following format:

[4-byte request][request arguments][data]

A vulnerability exists in Firebird SQL when specifying a "connect" request (0x1). The request is broken down as such.

typedef struct p_cnct
{
P_OP p_cnct_operation; /* OP_CREATE or OP_OPEN */
USHORT p_cnct_cversion; /* Version of connect protocol */
P_ARCH p_cnct_client; /* Architecture of client */
CSTRING p_cnct_file; /* File name */
USHORT p_cnct_count; /* Protocol versions understood */
CSTRING p_cnct_user_id; /* User identification stuff */
struct p_cnct_repeat
{
USHORT p_cnct_version; /* Protocol version number */
P_ARCH p_cnct_architecture; /* Architecture of client */
USHORT p_cnct_min_type; /* Minimum type */
USHORT p_cnct_max_type; /* Maximum type */
USHORT p_cnct_weight; /* Preference weight */
}
p_cnct_versions[10];
} P_CNCT;

When a large value for p_cnct_count is specified an unchecked loop occurs during the XDR processing of the packet. This can be abused by overwriting the local rem_port structure and its vtables. In particular the rem_port->receive function pointer which will be called on the next iteration of XDR processing. The vulnerable code looks like this:

protocol.cpp:318
for (i = 0, tail = connect->p_cnct_versions; i < connect->p_cnct_count; i++, tail++)
{
MAP(xdr_short, reinterpret_cast(tail->p_cnct_version));
MAP(xdr_enum, reinterpret_cast(tail->p_cnct_architecture));
MAP(xdr_u_short, tail->p_cnct_min_type);
MAP(xdr_u_short, tail->p_cnct_max_type);
MAP(xdr_short, reinterpret_cast(tail->p_cnct_weight));
}

Where the size of tail should be checked during the loop operation.

Vendor Response

Firebird has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2007-02-01 - Vulnerability reported to vendor
    2007-06-11 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: