Vulnerabilities > CVE-2004-2043 - Remote Pre-Authentication Database Name Buffer Overrun vulnerability in Firebird
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Buffer overflow in ibserver for Firebird Database 1.0 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows remote attackers to cause a denial of service (crash) via a long database name, as demonstrated using the gsec command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 | |
| Application | 1 |
Exploit-Db
description Firebird 1.0 Remote Pre-Authentication Database Name Buffer Overrun Vulnerability. CVE-2004-2043. Remote exploit for linux platform id EDB-ID:24165 last seen 2016-02-02 modified 2004-06-01 published 2004-06-01 reporter wsxz source https://www.exploit-db.com/download/24165/ title Firebird 1.0 - Remote Pre-Authentication Database Name Buffer Overrun Vulnerability description Borland Interbase <= 7.x Remote Exploit. CVE-2004-2043. Remote exploit for linux platform id EDB-ID:303 last seen 2016-01-31 modified 2004-06-25 published 2004-06-25 reporter Aviram Jenik source https://www.exploit-db.com/download/303/ title Borland Interbase <= 7.x - Remote Exploit
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1014.NASL description Aviram Jenik and Damyan Ivanov discovered a buffer overflow in firebird2, an RDBMS based on InterBase 6.0 code, that allows remote attackers to crash. last seen 2020-06-01 modified 2020-06-02 plugin id 22556 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22556 title Debian DSA-1014-1 : firebird2 - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1014. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22556); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2004-2043"); script_bugtraq_id(10446); script_xref(name:"DSA", value:"1014"); script_name(english:"Debian DSA-1014-1 : firebird2 - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Aviram Jenik and Damyan Ivanov discovered a buffer overflow in firebird2, an RDBMS based on InterBase 6.0 code, that allows remote attackers to crash." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357580" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1014" ); script_set_attribute( attribute:"solution", value: "Upgrade the firebird2 packages. The old stable distribution (woody) does not contain firebird2 packages. For the stable distribution (sarge) this problem has been fixed in version 1.5.1-4sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firebird2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/06/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"firebird2-classic-server", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"firebird2-dev", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"firebird2-examples", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"firebird2-server-common", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"firebird2-super-server", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"firebird2-utils-classic", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"firebird2-utils-super", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libfirebird2-classic", reference:"1.5.1-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libfirebird2-super", reference:"1.5.1-4sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Databases NASL id FIREBIRD_BO.NASL description The remote host is running Firebird database. The remote version of this service is vulnerable to a remote stack-based overflow. An attacker, exploiting this hole, would be given full access to the target machine. Versions of Firebird database less than 1.5.0 are reportedly vulnerable to this overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 12246 published 2004-05-25 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12246 title Firebird DB Remote Database Name Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(12246); script_cve_id("CVE-2004-2043"); script_bugtraq_id(10446); script_version ("1.20"); script_name(english:"Firebird DB Remote Database Name Overflow"); script_set_attribute(attribute:"synopsis", value: "It is possible to execute code on the remote host." ); script_set_attribute(attribute:"description", value: "The remote host is running Firebird database. The remote version of this service is vulnerable to a remote stack-based overflow. An attacker, exploiting this hole, would be given full access to the target machine. Versions of Firebird database less than 1.5.0 are reportedly vulnerable to this overflow." ); script_set_attribute(attribute:"solution", value: "Upgrade to version 1.5.0 or higher." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/05/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/06/17"); script_cvs_date("Date: 2018/07/11 17:09:24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:firebirdsql:firebird"); script_end_attributes(); summary["english"] = "Firebird DB remote buffer overflow"; script_summary(english:summary["english"]); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Databases"); script_dependencie("find_service1.nasl"); script_require_ports(3050,139,445); exit(0); } # start script port = 3050; if (!get_tcp_port_state(port)) exit(0); DEBUG = 0; function firebird_request(myuser,myfile, ptype) { local_var myfilelen, myuserlen, opcode, r, req, req2, soc; local_var machinename, mymachinelen, mynamelen, name; local_var stuff1, stuff2, stuff3, stuff4; req = req2 = NULL; opcode = raw_string(0x00,0x00,0x00,0x01); stuff1 = raw_string(0x00,0x00,0x00,0x13,0x00,0x00, 0x00,0x02,0x00,0x00,0x00,0x1d, 0x00,0x00,0x00); myfilelen = raw_string(strlen(myfile)); stuff2 = raw_string(0x00,0x00,0x00,0x00,0x00,0x00, 0x02,0x00,0x00,0x00,0x1a,0x01); name = string("SCAN CHECK"); name += raw_string(0x04); mynamelen = raw_string(strlen(name)); machinename = string("nessusscan"); mymachinelen = raw_string(strlen(machinename)); req = opcode + stuff1 + myfilelen + myfile + stuff2 + mynamelen + name + mymachinelen + machinename; req += raw_string(0x06,0x00,0x00,0x00,0x00,0x00,0x00, 0x08,0x00,0x00,0x00,0x01,0x00,0x00, 0x00,0x02,0x00,0x00,0x00,0x03,0x00, 0x00,0x00,0x02,0x00,0x00,0x00,0x0a, 0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0x02,0x00,0x00,0x00,0x03,0x00,0x00, 0x00,0x04); if (ptype == "attach") { opcode = raw_string(0x00,0x00,0x00,0x13); stuff1 = raw_string(0x00,0x00,0x00,0x00,0x00,0x00,0x00); myfilelen = raw_string(strlen(myfile)); stuff2 = raw_string(0x00,0x00,0x00,0x00,0x00,0x00,0x20, 0x01,0x1c); myuserlen = raw_string(strlen(myuser), 0x1e); stuff3 = string("yWIQESaQ6ty"); stuff4 = raw_string(0x3a,0x04,0x00,0x00,0x00,0x00,0x3e,0x00); req2 = opcode + stuff1 + myfilelen + myfile + stuff2 + myuserlen + myuser + stuff3 + stuff4; } soc = open_sock_tcp(port); if (! soc) { if (DEBUG) { display("can't open a socket to remote host\n"); } return("ERROR"); } send(socket:soc, data:req); if (ptype == "attach") { r = recv(socket:soc, length:16); if ( r && (ord(r[3]) == 3) ) { send(socket:soc, data:req2); } else { close(soc); if (DEBUG) { display("did not receive a reply after connect packet\n"); } return("ERROR"); } } r = recv(socket:soc, length:16); close(soc); if (strlen(r) > 4) { return(r); } else { if (DEBUG) { display(string("recv only returned ", strlen(r), " bytes\n")); } return("ERROR"); } } reply = firebird_request(myfile:"nessusr0x", ptype:"connect"); if (reply == "ERROR") exit(0); if ( ( ord(reply[0]) == 0) && ( ord(reply[1]) == 0) && ( ord(reply[2]) == 0) && ( ord(reply[3]) == 3) ) { exit(0); } if ( safe_checks() ) { # patched systems will *not* respond to a 299 byte filename request reply = firebird_request(myuser:"nessusr0x" ,myfile:string(crap(299)), ptype:"attach"); if (reply == "ERROR") exit(0); if (strlen(reply) > 0) { security_hole(port); exit(0); } } else { reply = firebird_request(myuser:"nessusr0x" ,myfile:string(crap(300)), ptype:"attach"); if (DEBUG) { display("sent malicious attach packet\n"); } reply = firebird_request(myfile:"nessusr0x", ptype:"connect"); if (DEBUG) { display("sending final connect request to DB\n"); } if (reply == "ERROR") { security_hole(port); exit(0); } }
References
- http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0027.html
- http://marc.info/?l=bugtraq&m=108611386202493&w=2
- http://secunia.com/advisories/11756
- http://secunia.com/advisories/19350
- http://securitytracker.com/id?1010381
- http://www.debian.org/security/2006/dsa-1014
- http://www.osvdb.org/6408
- http://www.osvdb.org/6624
- http://www.securiteam.com/unixfocus/5AP0P0UCUO.html
- http://www.securityfocus.com/bid/10446
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16229
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16316