Vulnerabilities > CVE-2008-0387 - Numeric Errors vulnerability in Firebirdsql Firebird
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 RC1 might allow remote attackers to execute arbitrary code via crafted (1) op_receive, (2) op_start, (3) op_start_and_receive, (4) op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR requests, which triggers memory corruption.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Firebird 2.0.3 Relational Database 'protocol.cpp' XDR Protocol Remote Memory Corruption Vulnerability. CVE-2008-0387. Remote exploits for multiple platform |
| id | EDB-ID:31050 |
| last seen | 2016-02-03 |
| modified | 2008-01-28 |
| published | 2008-01-28 |
| reporter | Damian Frizza |
| source | https://www.exploit-db.com/download/31050/ |
| title | Firebird <= 2.0.3 Relational Database 'protocol.cpp' XDR Protocol Remote Memory Corruption Vulnerability |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200803-02.NASL description The remote host is affected by the vulnerability described in GLSA-200803-02 (Firebird: Multiple vulnerabilities) Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467). Impact : A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 31329 published 2008-03-04 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31329 title GLSA-200803-02 : Firebird: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1529.NASL description Multiple security problems have been discovered in the Firebird database, which may lead to the execution of arbitrary code or denial of service. This Debian security advisory is a bit unusual. While it\ last seen 2020-06-01 modified 2020-06-02 plugin id 38955 published 2008-03-28 reporter This script is (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38955 title Debian DSA-1529-1 : firebird -- multiple vulnerabilities
Packetstorm
| data source | https://packetstormsecurity.com/files/download/63047/CORE-2007-1219.txt |
| id | PACKETSTORM:63047 |
| last seen | 2016-12-05 |
| published | 2008-01-28 |
| reporter | Core Security Technologies |
| source | https://packetstormsecurity.com/files/63047/Core-Security-Technologies-Advisory-2007.1219.html |
| title | Core Security Technologies Advisory 2007.1219 |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 27403 CVE(CAN) ID: CVE-2008-0387 Firebird是一款提供多个ANSI SQL-92功能的关系型数据库,可运行在Linux、Windows和各种Unix平台下。 Firebird在处理畸形格式的数据时存在漏洞,远程攻击者可能利用此漏洞导致拒绝服务。 如果Firebird的协议解析器(src/remote/protocol.cpp)接受到了任何带有有效数据的以下操作的时候: op_receive op_start op_start_and_receive op_send op_start_and_send op_start_send_and_receive 解析器在使用某些变量之前没有执行正确的过滤,在src/remote/protocol.cpp文件中未经验证便直接将以下报文缓冲区分配给了数据结构(MAP宏没有任何范围检查): src/remote/protocol.cpp:417 MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request)); MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation)); MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction)); MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number)); /* Changes to this op's protocol must mirror in xdr_protocol_overhead */ return xdr_request(xdrs, data->p_data_request, data->p_data_message_number, data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p); 然后在xdr_request()函数中,使用data->p_data_request变量(request_id)作为数组的索引: ... rrq* request = (rrq*) port->port_objects[request_id]; ... 这会触发内存结构破坏,导致服务器崩溃或执行任意代码。data->p_data_message_number变量也存在类似的问题。 Firebird Firebird SQL 2.1.0 Beta 2 Firebird Firebird SQL 2.0.3 Firebird Firebird SQL 1.5.5 Firebird Firebird SQL 1.0.3 厂商补丁: Firebird -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://firebirdsql.org/index.php?op=files&id=fb210_RC1 target=_blank>http://firebirdsql.org/index.php?op=files&id=fb210_RC1</a> id SSV:2876 last seen 2017-11-19 modified 2008-01-30 published 2008-01-30 reporter Root source https://www.seebug.org/vuldb/ssvid-2876 title Firebird关系数据库protocol.cpp XDR协议远程内存破坏漏洞 bulletinFamily exploit description BUGTRAQ ID: 28403 CVE ID:CVE-2008-0387 CNCVE ID:CNCVE-20080387 Firebird Relational Database是一款关系型数据库。 Firebird Relational Database管理器处理XDR协议上部分标签时存在整数溢出,远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 当(src/remote/protocol.cpp)解析器接收到如下非法数据的操作时: op_receive op_start op_start_and_receive op_send op_start_and_send op_start_send_and_receive 解析器在变量使用前不正确过滤,可以看到src/remote/protocol.cpp中,如下的指派直接来自报文缓冲区,并在没有任何验证情况下直接到数据接口中(MAP宏没有任何范围检查): src/remote/protocol.cpp:417 MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request)); MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation)); MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction)); MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number)); /* Changes to this op's protocol must mirror in xdr_protocol_overhead */ return xdr_request(xdrs, data->p_data_request, data->p_data_message_number, data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p); 在函数xdr_request()中,变量data->p_data_request (as request_id)用于索引数组: ... rrq* request = (rrq*) port->port_objects[request_id]; ... 破坏内存结构,可引起服务程序拒绝服务。在变量data->p_data_message_number中存在同样状况。 Gentoo Linux Firebird Firebird 2.0.3 Firebird Firebird 2.0.2 Firebird Firebird 2.0.1 Firebird Firebird 1.5.5 Firebird Firebird 1.5.4 Firebird Firebird 1.0.3 + FreeBSD FreeBSD 4.8 + FreeBSD FreeBSD 4.7 + FreeBSD FreeBSD 4.6 Firebird Firebird 2.1 Beta 2 Firebird Firebird 2.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Firebird 1.56, 2.0.4, 和2.1.0 RC1已经修正此漏洞: <a href=http://www.firebirdsql.org/ target=_blank>http://www.firebirdsql.org/</a> id SSV:3104 last seen 2017-11-19 modified 2008-03-29 published 2008-03-29 reporter Root source https://www.seebug.org/vuldb/ssvid-3104 title Firebird关系数据库'protocol.cpp' XDR协议远程内存破坏漏洞
References
- http://secunia.com/advisories/29203
- http://secunia.com/advisories/29501
- http://security.gentoo.org/glsa/glsa-200803-02.xml
- http://securityreason.com/securityalert/3580
- http://sourceforge.net/project/shownotes.php?group_id=9028&release_id=570800
- http://tracker.firebirdsql.org/browse/CORE-1681
- http://www.coresecurity.com/?action=item&id=2095
- http://www.debian.org/security/2008/dsa-1529
- http://www.securityfocus.com/archive/1/487173/100/0/threaded
- http://www.securityfocus.com/bid/27403
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39996