Vulnerabilities > CVE-2007-3181 - Remote Buffer Overflow vulnerability in Firebird SQL Fbserver
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in fbserver.exe in Firebird SQL 2 before 2.0.1 allows remote attackers to execute arbitrary code via a large p_cnct_count value in a p_cnct structure in a connect (0x01) request to port 3050/tcp, related to "an InterBase version of gds32.dll." Failed exploit attempts will likely cause a denial of service on the server.
Vulnerable Configurations
Exploit-Db
| description | Firebird SQL Fbserver 2.0 Remote Buffer Overflow Vulnerability. CVE-2007-3181. Remote exploit for linux platform |
| id | EDB-ID:30186 |
| last seen | 2016-02-03 |
| modified | 2007-06-12 |
| published | 2007-06-12 |
| reporter | Cody Pierce |
| source | https://www.exploit-db.com/download/30186/ |
| title | Firebird SQL Fbserver 2.0 - Remote Buffer Overflow Vulnerability |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200707-01.NASL description The remote host is affected by the vulnerability described in GLSA-200707-01 (Firebird: Buffer overflow) Cody Pierce from TippingPoint DVLabs has discovered a buffer overflow when processing last seen 2020-06-01 modified 2020-06-02 plugin id 25641 published 2007-07-02 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25641 title GLSA-200707-01 : Firebird: Buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200707-01. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(25641); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-3181"); script_xref(name:"GLSA", value:"200707-01"); script_name(english:"GLSA-200707-01 : Firebird: Buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200707-01 (Firebird: Buffer overflow) Cody Pierce from TippingPoint DVLabs has discovered a buffer overflow when processing 'connect' requests with an overly large 'p_cnct_count' value. Impact : An unauthenticated remote attacker could send a specially crafted request to a vulnerable server, possibly resulting in the execution of arbitrary code with the privileges of the user running Firebird. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200707-01" ); script_set_attribute( attribute:"solution", value: "All Firebird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/firebird-2.0.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firebird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/02"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/firebird", unaffected:make_list("ge 2.0.1"), vulnerable:make_list("lt 2.0.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Firebird"); }NASL family Databases NASL id FIREBIRD_OVERFLOW.NASL description The version of Firebird installed on the remote host is vulnerable to a buffer overflow in its protocol handling routine. By sending a specially crafted last seen 2020-06-01 modified 2020-06-02 plugin id 25492 published 2007-06-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25492 title Firebird DataBase Server fbserver.exe p_cnct_count Value Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25492); script_version("1.16"); script_cve_id("CVE-2007-3181"); script_bugtraq_id(24436); script_name(english:"Firebird DataBase Server fbserver.exe p_cnct_count Value Remote Overflow"); script_summary(english:"Detects if the Firebird database server is vulnerable to a stack overflow"); script_set_attribute(attribute:"synopsis", value: "The remote database server allows execution of arbitrary code." ); script_set_attribute(attribute:"description", value: "The version of Firebird installed on the remote host is vulnerable to a buffer overflow in its protocol handling routine. By sending a specially crafted 'op_connect' request, a remote, unauthenticated attacker can execute code on the affected host with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"http://dvlabs.tippingpoint.com/advisory/TPTI-07-11" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1cb912c4" ); script_set_attribute(attribute:"solution", value: "Upgrade to Firebird 2.0.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2007/06/13"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/06/11"); script_cvs_date("Date: 2018/07/11 17:09:24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:firebirdsql:firebird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("firebird_detect.nasl"); script_require_ports("Services/gds_db"); exit(0); } include("byte_func.inc"); port = get_kb_item("Services/gds_db"); if (isnull(port)) exit(0); if (!get_tcp_port_state(port)) exit(0); soc = open_sock_tcp(port); if (!soc) exit(0); # Send a connection request. path = string("/opt/firebird/", SCRIPT_NAME, ".gdb"); if (strlen(path) % 4 == 0) pad1 = ""; else pad1 = crap(data:raw_string(0x00), length:(4-(strlen(path)%4))); me = this_host_name(); user = "nessus"; if ((strlen(me+user)+2) % 4 == 0) pad2 = ""; else pad2 = crap(data:raw_string(0x00), length:(4-((strlen(me+user)+2) % 4))); req = mkdword(1) + # p_operation (1 => connect) mkdword(0x13) + # p_cnct_operation mkdword(0x02) + # p_cnct_version mkdword(0x24) + # p_cnct_client mkdword(strlen(path)) + path + pad1 + # p_cnct_file mkdword(13) + # p_cnct_count (number of supported protocols) mkdword(strlen(user+me)+6) + # p_cnct_user_id mkbyte(0x01) + # user mkbyte(strlen(user)) + user + # user running isql mkbyte(0x04) + # hostname mkbyte(strlen(me)) + me + # my hostname mkbyte(6) + mkbyte(0) + # password(?) pad2 + # padding crap(data:'A', length:4*5*12) + # 12 unsupported protocol mkdword(8) + # protocol 13 (valid) mkdword(1) + mkdword(2) + mkdword(3) + mkdword(2) ; send(socket:soc, data:req); res = recv(socket:soc, length:2048); close(soc); # A patched version reject the valid protocol (protocol 13) if ( # response is 16 chars long and... strlen(res) == 16 && # has an 'accept' opcode and... getdword(blob:res, pos:0) == 3 && ( # the full packet looks like what we'd get from running isql. ( getdword(blob:res, pos:4) == 8 && getdword(blob:res, pos:8) == 1 && getdword(blob:res, pos:12) == 3 ) ) ) { security_hole(port); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1529.NASL description Multiple security problems have been discovered in the Firebird database, which may lead to the execution of arbitrary code or denial of service. This Debian security advisory is a bit unusual. While it\ last seen 2020-06-01 modified 2020-06-02 plugin id 38955 published 2008-03-28 reporter This script is (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38955 title Debian DSA-1529-1 : firebird -- multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # This script was automatically generated from Debian Security # Advisory DSA-1529. It is released under the Nessus Script # Licence. # # Debian Security Advisory DSA-1529 is (C) Software in the Public # Interest, Inc; see http://www.debian.org/license for details. # include("compat.inc"); if (description) { script_id(38955); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2006-7211", "CVE-2006-7212", "CVE-2006-7213", "CVE-2006-7214", "CVE-2007-2606", "CVE-2007-3181", "CVE-2007-3527", "CVE-2007-4664", "CVE-2007-4665", "CVE-2007-4666", "CVE-2007-4667", "CVE-2007-4668", "CVE-2007-4669", "CVE-2008-0387", "CVE-2008-0467"); script_xref(name:"DSA", value:"1529"); script_name(english:"Debian DSA-1529-1 : firebird -- multiple vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple security problems have been discovered in the Firebird database, which may lead to the execution of arbitrary code or denial of service. This Debian security advisory is a bit unusual. While it\'s normally our strict policy to backport security bugfixes to older releases, this turned out to be infeasible for Firebird 1.5 due to large infrastructural changes necessary to fix these issues. As a consequence security support for Firebird 1.5 is hereby discontinued." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2008/dsa-1529" ); script_set_attribute( attribute:"solution", value: "Upgrade to the firebird2.0 packages available at backports.org. Version 2.0.3.12981.ds1-6~bpo40+1 fixes all known issues." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(20, 119, 189, 200, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/Debian/release")) exit(0, "The host is not running Debian."); if (!get_kb_item("Host/Debian/dpkg-l")) exit(1, "Could not obtain the list of installed packages."); flag = 0; ref = "1.9.9-9sarge1"; # nb: any high value should work. if (deb_check(release:"3.1", prefix:"firebird2-classic-server", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"firebird2-dev", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"firebird2-examples", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"firebird2-server-common", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"firebird2-super-server", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"firebird2-utils-classic", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"firebird2-utils-super", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"libfirebird2-classic", reference:ref)) flag++; if (deb_check(release:"3.1", prefix:"libfirebird2-super", reference:ref)) flag++; if (flag) { if (report_verbosity > 0) { report = ""; foreach line (split(deb_report_get(), keep:FALSE)) { if (max >!< line && "Should be :" >!< line) report += line + '\n'; } security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else exit(0, "The host is not affected.");
References
- http://dvlabs.tippingpoint.com/advisory/TPTI-07-11
- http://osvdb.org/37231
- http://secunia.com/advisories/25601
- http://secunia.com/advisories/25872
- http://secunia.com/advisories/29501
- http://security.gentoo.org/glsa/glsa-200707-01.xml
- http://www.debian.org/security/2008/dsa-1529
- http://www.firebirdsql.org/rlsnotes/Firebird-2.0.1-ReleaseNotes.pdf
- http://www.securityfocus.com/bid/24436
- http://www.vupen.com/english/advisories/2007/2149
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34833