Firebird SQL fbserver 'connect' Buffer Overflow VulnerabilityTPTI-07-11: June 11th, 2007
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5067. For further product information on the TippingPoint IPS:
Vulnerability DetailsThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Firebird SQL. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the database service fbserver.exe, which binds to TCP port 3050. The service receives socket data in the following format:
[4-byte request][request arguments][data]
A vulnerability exists in Firebird SQL when specifying a "connect" request (0x1). The request is broken down as such.
typedef struct p_cnct
P_OP p_cnct_operation; /* OP_CREATE or OP_OPEN */
USHORT p_cnct_cversion; /* Version of connect protocol */
P_ARCH p_cnct_client; /* Architecture of client */
CSTRING p_cnct_file; /* File name */
USHORT p_cnct_count; /* Protocol versions understood */
CSTRING p_cnct_user_id; /* User identification stuff */
USHORT p_cnct_version; /* Protocol version number */
P_ARCH p_cnct_architecture; /* Architecture of client */
USHORT p_cnct_min_type; /* Minimum type */
USHORT p_cnct_max_type; /* Maximum type */
USHORT p_cnct_weight; /* Preference weight */
When a large value for p_cnct_count is specified an unchecked loop occurs during the XDR processing of the packet. This can be abused by overwriting the local rem_port structure and its vtables. In particular the rem_port->receive function pointer which will be called on the next iteration of XDR processing. The vulnerable code looks like this:
for (i = 0, tail = connect->p_cnct_versions; i < connect->p_cnct_count; i++, tail++)
Where the size of tail should be checked during the loop operation.
Vendor ResponseFirebird has issued an update to correct this vulnerability. More details can be found at:
2007-02-01 - Vulnerability reported to vendor
2007-06-11 - Coordinated public release of advisory