Bug 9322 - CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow
: CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/543278/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-10 21:45 CET by Philippe Makowski
Modified: 2013-04-02 22:07 CEST (History)
3 users (show)

See Also:
Source RPM: firebird-2.5.2.26539.0-6
CVE:
Status comment:


Attachments

Description Philippe Makowski 2013-03-10 21:45:02 CET
Spencer McIntyre reports:

The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server. 

Alexander Peshkov adds:

A reason is a bug when extracting a group number from the CNCT info, sent by 
client. Size of received data was not checked. Bug exists from the first most 
days of firebird.

The main irony here is that this group info was never used later in the code, 
and therefore was cleaned up in the trunk. I.e. trunk does not require fixing. 

This is fixed in snapshot builds, build numbers are 26623 for v2.5 and 18514 
for v2.1. Fix available in upstream SVN repository for B2_5_Release branch
(revision 57728).

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2013-03-10 22:03:21 CET
Updates should be available for  
Mageia 2 and Cauldron
Comment 2 Manuel Hiebel 2013-03-11 20:00:15 CET
Then you can reassign to QA. 
https://wiki.mageia.org/en/Updates_policy
Comment 3 claire robinson 2013-03-12 12:52:57 CET
Philippe we need srpm and rpms listing please.
Comment 4 Philippe Makowski 2013-03-12 19:45:45 CET
sorry
main package is  firebird-2.5.2.26539-2.mga2
(seems that cauldron is not pushed yet)

SRPM: firebird-2.5.2.26539-2.mga2.src.rpm
-----------------------------------------
firebird-classic
firebird-devel
firebird
firebird-server-classic
firebird-server-common
firebird-server-superserver
firebird-superclassic
firebird-superserver
firebird-utils-classic
firebird-utils-common
firebird-utils-superserver
lib64fbclient2
lib64fbembed2
Comment 5 David Walser 2013-03-18 21:52:43 CET
Debian has issued an advisory for this on March 15:
http://www.debian.org/security/2013/dsa-2648

It also lists CVE-2012-5529, but the CVE entry says that affects 2.5.0 and 2.5.1.

Also, firebird has now been pushed in Cauldron.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
http://www.debian.org/security/2013/dsa-2648
http://tracker.firebirdsql.org/browse/CORE-4058
Comment 6 Philippe Makowski 2013-03-18 22:01:55 CET
I confirm CVE-2012-5529 was fixed in firebird 2.5.2 http://tracker.firebirdsql.org/browse/CORE-3884
Mageia 2 and cauldron packages were only afected by CVE-2013-2492
Comment 7 claire robinson 2013-03-21 14:57:09 CET
PoC: attached to http://tracker.firebirdsql.org/browse/CORE-4058
Comment 8 claire robinson 2013-03-21 15:23:05 CET
Testing x86_64

Before
------

Confirmed the crash using bof.py

# service firebird-superserver start
Starting firebird-superserver (via systemctl):                   [  OK  ]

# watch -n 1 "ps u -C fbserver"

In a separate terminal tab

$ python bof.py localhost

Noticing the Process ID of fbserver changes each time bof.py is run.
fbguard restarts it instantly IINM. Ctrl-C to exit 'watch'.

After
-----
# service firebird-superserver restart
Restarting firebird-superserver (via systemctl):                [  OK  ]
# watch -n 1 "ps u -C fbserver"

$ python bof.py localhost

PID remains unchanging so server is no longer crashing.
Comment 9 claire robinson 2013-03-21 15:45:40 CET
Philippe can you recommend a basic way to test firebird itself?

from /usr/share/doc/firebird-server-common/firebird.mga.releasenote

# gsec -user sysdba -pass masterkey -mo sysdba -pw icuryy4me
Warning - maximum 8 significant bytes of password used
use gsec -? to get help
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
unable to open database
Comment 10 claire robinson 2013-03-21 15:57:21 CET
Docs say this should create a user and database but it doesn't seem to.

$ isql-fb -u testuser -p testpassword

SQL> create database 'testdb';
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

SQL> quit;
Comment 11 claire robinson 2013-03-21 16:06:08 CET
$ isql-fb -user sysdba -pass masterkey
Use CONNECT or CREATE DATABASE to specify a database
SQL> create user sonny password 'cher_ie';
Use CONNECT or CREATE DATABASE to specify a database
SQL> alter user sonny password 'anewpass';
Use CONNECT or CREATE DATABASE to specify a database
SQL> quit;

$ isql-fb -user sonny -pass anewpass
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'testdb';
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
Comment 12 claire robinson 2013-03-21 16:10:28 CET
Following procedure from last update has the same result..
https://bugs.mageia.org/show_bug.cgi?id=8046#c0

$ isql-fb localhost:employee -user SYSDBA -password masterkey
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
Comment 13 claire robinson 2013-03-21 16:47:55 CET
False alarm, problem solved. It must have had old data.
Cured by deleting /var/lib/firebird after uninstalling.

Tested OK with the previous procedure from bug 8046
Comment 14 claire robinson 2013-03-21 16:56:17 CET
Testing complete mga2 32

Validating

Advisory
-----------
The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server. (CVE-2013-2492)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
http://www.debian.org/security/2013/dsa-2648
http://tracker.firebirdsql.org/browse/CORE-4058
----------------

SRPM: firebird-2.5.2.26539-2.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 15 Thomas Backlund 2013-04-02 22:07:38 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0102

Note You need to log in before you can comment on or make changes to this bug.