• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

• CoreLabs Research

• CoreLabs Overview

• Research Projects

• Advisories

• Publications
  • Presentations and Papers
  • Journals and Magazines
  • Internet Articles

• Open Source Projects

• CoreLabs Extranet Site

SHARE

1. Advisory Information

Title: Firebird SQL op_connect_request main listener shutdown vulnerability
Advisory ID: CORE-2009-0707
Advisory URL: http://www.coresecurity.com/content/firebird-sql-dos
Date published: 2009-07-28
Date of last update: 2009-07-28
Vendors contacted: Firebird SQL
Release mode: Coordinated release

2. Vulnerability Information

Class: Denial of service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35842
CVE Name: CVE-2009-2620

3. Vulnerability Description

Firebird SQL [1] is an open source relational database management system offering many ANSI SQL standard features that runs on Linux, Windows, and a variety of Unix platforms.

A remote denial of service vulnerability has been found in Firebird SQL, which can be exploited by a remote attacker to force the server to close the socket where it is listening for incoming connections and to enter an infinite loop, by sending an unexpected op_connect_request message with invalid data to the server.

4. Vulnerable packages

• Firebird SQL v1.5.5
• Firebird SQL v2.0.1
• Firebird SQL v2.0.5
• Firebird SQL v2.1.1
• Firebird SQL v2.1.2
• Firebird SQL v2.1.3 RC1
• Firebird SQL v2.5.0 Beta 1

5. Non-vulnerable packages

• Firebird SQL v2.1.3 Release Candidate 2 (estimated release: July 2009)
• Firebird SQL v2.5 Beta 2 (estimated release: July 2009)
• Firebird SQL v1.5.6 (estimated release: August 2009)
• Firebird SQL v2.0.6 (estimated release: October 2009)

Please build a fresh CVS checkout to have a fixed version sooner.

6. Vendor Information, Solutions and Workarounds

The issue is resolved in all branches of the Firebird SQL repository. It is registered in the Firebird SQL bug tracker as:
http://tracker.firebirdsql.org/browse/CORE-2563

7. Credits

This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies.

8. Technical Description / Proof of Concept Code

8.1. Introduction

Firebird SQL is an open source relational database management system offering many ANSI SQL standard features that runs on Linux, Windows and a variety of Unix platforms.

A remote denial of service can be triggered by an unauthenticated attacker, by sending an unexpected op_connect_request message with invalid data of length greater than or equal to 12 bytes to the server.

Inside the server (src/remote/server.cpp), the function process_packet2() processes a packet received from a client. This function has a switch statement that considers all the possible opcodes defined in the protocol (see P_OP enum in src/remote/protocol.h).

In the case of an op_connect_request packet, the execution flow goes to the following case in the switch statement:

After calling aux_request() function and executing the break statement, execution lands here:

By debugging the fbserver.exe binary when it receives an op_connect_request packet, we can see that the conditions of the first if statement are satisfied, but the condition of the second if is not, so execution flow goes to the port->disconnect() call:

The type of port is struct rem_port, as defined in src/remote/remote.h. This struct type has a disconnect() function that is implemented in src/remote/server.cpp:

Inside this function, the following code is executed, in order to free both the sent and received packets and to close the corresponding sockets:

That call to this->disconnect() will ultimately lead to the disconnect() function in src/remote/inet.cpp. This function is intended to break a remote connection, and receives a rem_port structure as parameter.

In the first place, the function closes the connection established by the client, by calling the shutdown function:

After that, as a comment line states, if the current rem_port structure being disconnected is a child of another rem_port structure, it recursively calls disconnect() to disconnect the rem_port stored at port->port_async. port_async is a member of rem_port struct that describes an asynchronous sibling port.

But when that recursive call to disconnect() is made, the port->port_async passed as parameter to be disconnected corresponds to the main server socket, that is, the socket listening for incoming connections on port 3050/TCP. Once in the recursive call, shutdown() and closesocket() functions are invoked, making the server to stop listening on the default port 3050/TCP, thus denying the service to legitimate users.

8.2. Remarks

As a side effect, the fbserver.exe process will enter an infinite loop, consuming 100% CPU time.

On Windows platform, in a default installation, Firebird SQL server is installed as a Windows service, and another service (the Firebird Guardian) runs together with the server, in order to automatically restart the fbserver.exe process if it crashes or stops running abnormally. However, in this case the Firebird Guardian is unable to detect the denial of service condition, because the server does not crash nor stops running.

In Firebird SQL 1.5.5 the behavior is different; the server will crash inside the aux_request() function in src/remote/server.cpp due to a null pointer dereference, instead of silently shutting down its listener port. The problem arises when port->port_context (which has a NULL value at this point) is loaded into rdb variable and then, at line 885, it is used as a pointer without properly checking that it points to a valid memory address:

8.3. Proof of concept

The following Python script will trigger the denial of service condition on Firebird SQL, by sending an op_connect_request packet with invalid data of length greater than or equal to 12 bytes.

9. Report Timeline

• 2009-07-15: Core Security Technologies notifies the Firebird team of the vulnerability.
• 2009-07-16: Firebird team requests technical details in plaintext.
• 2009-07-16: Core sends the advisory draft, including technical details.
• 2009-07-20: Firebird team notifies that the issue is resolved in all branches of the Firebird repository [2]. Technical details will be publicly visible when Core releases its advisory. Firebird team notices that Firebird version 1.5.5 (marked as non vulnerable in the advisory draft) seems to be affected.
• 2009-07-27: Core sends the final version of the advisory to the Firebird team.
• 2009-07-28: The advisory CORE-2009-0707 is published.

10. References

[1] http://www.firebirdsql.org
[2] http://tracker.firebirdsql.org/browse/CORE-2563

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.