Vulnerabilities > CVE-2008-1880 - Credentials Management vulnerability in Firebird 2.0.3.12981.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The default configuration of Firebird before 2.0.3.12981.0-r6 on Gentoo Linux sets the ISC_PASSWORD environment variable before starting Firebird, which allows remote attackers to bypass SYSDBA authentication and obtain sensitive database information via an empty password.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 | |
Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200805-06.NASL description The remote host is affected by the vulnerability described in GLSA-200805-06 (Firebird: Data disclosure) Viesturs reported that the default configuration for Gentoo last seen 2020-06-01 modified 2020-06-02 plugin id 32208 published 2008-05-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32208 title GLSA-200805-06 : Firebird: Data disclosure code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200805-06. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(32208); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2008-1880"); script_xref(name:"GLSA", value:"200805-06"); script_name(english:"GLSA-200805-06 : Firebird: Data disclosure"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200805-06 (Firebird: Data disclosure) Viesturs reported that the default configuration for Gentoo's init script ('/etc/conf.d/firebird') sets the 'ISC_PASSWORD' environment variable when starting Firebird. It will be used when no password is supplied by a client connecting as the 'SYSDBA' user. Impact : A remote attacker can authenticate as the 'SYSDBA' user without providing the credentials, resulting in complete disclosure of all databases except for the user and password database (security2.fdb). Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200805-06" ); script_set_attribute( attribute:"solution", value: "All Firebird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/firebird-2.0.3.12981.0-r6' Note: /etc/conf.d is protected by Portage as a configuration directory. Do not forget to use 'etc-update' or 'dispatch-conf' to overwrite the 'firebird' configuration file, and then restart Firebird." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firebird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/firebird", unaffected:make_list("ge 2.0.3.12981.0-r6"), vulnerable:make_list("lt 2.0.3.12981.0-r6"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Firebird"); }
NASL family Databases NASL id FIREBIRD_ISC_PASSWORD_SET.NASL description The version of Firebird on the remote host sets the last seen 2020-06-01 modified 2020-06-02 plugin id 32316 published 2008-05-14 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32316 title Firebird on Gentoo Linux /etc/conf.d/firebird Invocation ISC_PASSWORD Authentication Bypass code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(32316); script_version("1.12"); script_cve_id("CVE-2008-1880"); script_bugtraq_id(29123); script_xref(name:"GLSA", value:"200805-06"); script_xref(name:"Secunia", value:"30162"); script_name(english:"Firebird on Gentoo Linux /etc/conf.d/firebird Invocation ISC_PASSWORD Authentication Bypass"); script_summary(english:"Tries to authenticate as SYSDBA with an empty password"); script_set_attribute(attribute:"synopsis", value: "The remote database server allows remote connections to its administrative account without a password." ); script_set_attribute(attribute:"description", value: "The version of Firebird on the remote host sets the 'ISC_PASSWORD' environment variable before starting the database server and uses that for remote client connections when a password is not supplied. An attacker can leverage this issue to connect as 'SYSDBA' with an empty password and gain access to any database on the affected host except for 'security2.fdb', which holds the database user credentials." ); script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=216158" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/491871/30/0/threaded" ); script_set_attribute(attribute:"solution", value: "If running under Gentoo, use emerge to upgrade to dev-db/firebird-2.0.3.12981.0-r6 or later. Otherwise, ensure that the environment variables 'ISC_USER' and 'ISC_PASSWORD' are not set when starting the service." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(255); script_set_attribute(attribute:"plugin_publication_date", value: "2008/05/14"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:firebirdsql:firebird"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("firebird_detect.nasl"); script_require_ports("Services/gds_db", 3050); exit(0); } include("byte_func.inc"); include("global_settings.inc"); port = get_kb_item("Services/gds_db"); if (!port) port = 3050; if (!get_tcp_port_state(port)) exit(0); soc = open_sock_tcp(port); if (!soc) exit(0); # Variable definitions. db_user = "SYSDBA"; me = SCRIPT_NAME; path = "/"; user = "nessus"; # Send a connection request. req = mkdword(1) + mkdword(0x13) + mkdword(0x02) + mkdword(0x24) + mkdword(strlen(path)) + path + crap(data:raw_string(0), length:((4-(strlen(path)%4)))*(strlen(path)%4>0)) + mkdword(2) + mkdword(strlen(user+me)+6) + mkbyte(0x01) + mkbyte(strlen(user)) + user + mkbyte(0x04) + mkbyte(strlen(me)) + me + mkbyte(6) + mkbyte(0) + crap(data:raw_string(0), length:((4-((6+strlen(me+user))%4)))*((6+strlen(me+user))%4>0)) + mkdword(8) + mkdword(1) + mkdword(2) + mkdword(3) + mkdword(2) + mkdword(0x0a) + mkdword(1) + mkdword(2) + mkdword(3) + mkdword(4); send(socket:soc, data:req); res = recv(socket:soc, length:16); # If the response contains an accept opcode... if (strlen(res) == 16 && getdword(blob:res, pos:0) == 3) { # nb: there's no password info here. dpb = mkbyte(1) + mkbyte(0x1c) + mkbyte(strlen(db_user)) + db_user; # Try to create the database. # # nb: '/' isn't a valid name and so the database isn't actually created. req = mkdword(0x14) + mkdword(0) + mkdword(strlen(path)) + path + crap(data:raw_string(0), length:((4-(strlen(path)%4)))*(strlen(path)%4>0)) + mkdword(strlen(dpb)) + dpb; req += crap(data:raw_string(0), length:((4-(strlen(req)%4)))*(strlen(req)%4>0)); send(socket:soc, data:req); res = recv(socket:soc, length:64); # There's a problem if we get a response with an error involving CreateFile. if ( strlen(res) >= 16 && getdword(blob:res, pos:0) == 9 && ( "CreateFile (" >< res || "open O_CREAT" >< res ) ) { security_hole(port); } } close(soc);
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 29123 CVE(CAN) ID: CVE-2008-1880 Firebird是一款提供多个ANSI SQL-92功能的关系型数据库,可运行在Linux、Windows和各种Unix平台下 Gentoo的init脚本(/etc/conf.d/firebird)在启动Firebird时默认会设置ISC_PASSWORD环境变量,当以SYSDBA用户身份连接的客户端没有提供口令时会使用这个变量,这允许远程攻击者无需提供凭据便认证为SYSDBA用户,访问除用户和口令数据库之外的整个数据库。 Firebird 2.0.3.12981.0 Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA-200805-06)以及相应补丁: GLSA-200805-06:Firebird: Data disclosure 链接:<a href=http://security.gentoo.org/glsa/glsa-200805-06.xml target=_blank>http://security.gentoo.org/glsa/glsa-200805-06.xml</a> 所有Firebird用户都应升级到最新版本: # emerge --sync # emerge --ask --oneshot -v ">=dev-db/firebird-2.0.3.12981.0-r6" |
id | SSV:3283 |
last seen | 2017-11-19 |
modified | 2008-05-14 |
published | 2008-05-14 |
reporter | Root |
title | Firebird ISC_PASSWORD环境变量非授权访问漏洞 |