Re: Looking for old Interbase proof-of-concept exploit

[Stephen <sa7ori () tasam com>]

I am not sure of an "exploit" per se. However, in my experience, many
interbase dbas have upgraded interbase which claims to have fixed the
backdoor. However, when the upgrades are performed, it has been my
experience that they do not alter the DEFAULT account that is:
sysdba
masterkey
so this is something you might want to keep in mind.
additionally, Interbase requires that you create users with the Server
Manager. I dont believe the console admin util allows account creation.
As far as an "exploit" I am not sure, but with the sql admin account I am
sure it might simly be as easy as loading a blob or object and filling it
with text from a local file, say: /etc/passwd or /etc/shadow-.
I dunno, just and idea.

On Tue, 29 Jan 2002, Charles 'core' Stevenson wrote:

> Hi,
>
> I was reading up on the old Interbase hardcoded backdoor and I'm not
> sure how to go about writing some code to interface with the server and
> perform authentication and execute arbitrary commands. I wondered if
> anyone has created a proof-of-concept exploit or if not has any
> information on the protocol that could help me create my own.
>
> Here's the hardcoded backdoor account information:
>
> #define LOCKSMITH_USER "politically"
> #define LOCKSMITH_PASSWORD "correct"
>
> The server runs on port 3050. It is sometimes spawned from inetd:
>
> #gds_db  stream  tcp     nowait.30000      root
> /usr/local/sbin/gds_inet_server gds_inet_server # InterBase Database
> Remote Server
>
> > From reading the documentation I gather that it no longer needs to be
> run through inetd. I was able to spawn the server by locally running it
> with the '-d' flag.
>
> References:
>
> http://www.cert.org/advisories/CA-2001-01.html
> http://list.cobalt.com/pipermail/cobalt-users/2001-January/030260.html
> http://www.securityfocus.com/bid/2192
>
> Any information would be great.
>
> Best Regards,
> Charles Stevenson