---------------------------------------------------------------------------
     Buffer Overflow and Installation Script Error in Firebird 1.5.3
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005-02-18
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Product: Firebird 
Vulnerable Version: 1.5.2.4731

Description:

Firebird is a relational database offering many ANSI SQL-99 features that runs
on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent 
concurrency, high performance, and powerful language support for stored 
procedures and triggers. It has been used in production systems, under a variety 
of names since 1981.

Web : http://firebird.sourceforge.net

---------------------------------------------------------------------------

Vulnerability List:
~~~~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily
B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

Vulnerabilities:
~~~~~~~~~~~~~~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily

 - The installation script of Firebird 1.5.2 makes the binaries fb_inet_server 
and fbserver suid firebird but this is unnecesary. If you takes a look to the 
install script "firebird1.5.2.XXXX/scripts/postinstall.sh" you will see the 
following lines:

    (...)
    # SUID is still needed for group direct access.  General users
    # cannot run though.
    for i in fb_lock_mgr gds_drop fb_inet_server
    do
        if [ -f $i ]
          then
            chmod ug=rx,o= $i
            chmod ug+s $i
        fi
    done
    (...)

but, as the author says the fb_inet_server (at least) doesn't need to be suid firebird.
The following is a fragment of Alex Peshkov (a Firebird developer) response about 
this problem: 

  They need not and should not be set*id. And in standard precompiled 
  binaries fbserver is not setuid. But for unknown to me reasons 
  fb_inet_server is made setuid 'firebird' by install script (Debian guys 
  fixed it, I think). I've noticed it, unfortunately, after release of 
  1.5.2, but definitely will fix it in future releases. Except security 
  vulnerability this brings additional problem when one wants to change 
  fb_inet_server run-user - changing only xinetd.d entry is not enough.

 - Debian distributions are not vulnerable to this problem. As the Alex Peshkov says
Debian people has been fixed it.

B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

 - The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable 
to buffer overflows. If an string of more than 150 characters is passed to the
'-p' parameter of any of these binaries the program will crash with a 
"Segmentation Fault" message.

 - The following is a test of the vulnerability:
 
  /usr/lib/firebird2/bin$ ls
  fb_lock_print  fbguard  fbmgr  fbmgr.bin  fbserver  gsec
  /usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print "a"x155;'`1234
  Segmentation fault
  
  The program dies abruptly. The bytes passeds from position 155 to 159
  overwrites the return address:
  
  /usr/lib/firebird2/bin$ gdb ./fbserver
  GNU gdb 6.3
  (...)
  (gdb) run -p `perl -e 'print "a"x155;'`4321
  Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print
  "a"x155;'`4321
  (...)  
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread -1210892160 (LWP 25358)]
  0x31323334 in ?? ()

We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34, 
the numbers 4 3 2 1 in reverse order.

  (gdb) where
  #0  0x31323334 in ?? ()
  #1  0x08233496 in ?? ()
  #2  0x00000000 in ?? ()
  #3  0xbffff9b0 in ?? ()
  #4  0x00006161 in ?? ()
  #5  0x00000000 in ?? ()
  #6  0x00000000 in ?? ()
  #7  0x00000000 in ?? ()
  #8  0x00000000 in ?? ()
  #9  0x00000000 in ?? ()
  #10 0xbffff9b0 in ?? ()
  #11 0x00000000 in ?? ()
  #12 0x00000000 in ?? ()
  #13 0x00000000 in ?? ()
  #14 0xbffffb04 in ?? ()
  #15 0x0804e370 in ?? ()
  #16 0x00000000 in ?? ()
  #17 0xbffffd50 in ?? ()
  #18 0x00000000 in ?? ()
  #19 0x00000000 in ?? ()
  #20 0x00000000 in ?? ()
  #21 0x00000000 in ?? ()
  #22 0x00000000 in ?? ()

Notes:
~~~~~~

 - Various other problems, not discovered by me, has been fixed in the 1.5.3
version. I encourage to upgrade to the newest version as soon as possible.

Patches for the 1.5.2 version:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 - The following are patches to solve ONLY the problems that I have been found.

Patch for installation script:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------START OF THE PATCH----------------------------
--- scripts/postinstall.sh      2005-03-25 14:24:40.091819144 +0100
+++ scripts/postinstall.sh.corrected    2005-03-25 14:08:47.777592912 +0100
@@ -401,7 +401,7 @@

     # SUID is still needed for group direct access.  General users
     # cannot run though.
-    for i in fb_lock_mgr gds_drop fb_inet_server
+    for i in fb_lock_mgr gds_drop
     do
         if [ -f $i ]
           then
@@ -508,7 +508,7 @@

     # SUID is still needed for group direct access.  General users
     # cannot run though.
-    for i in fb_lock_mgr gds_drop fb_inet_server
+    for i in fb_lock_mgr gds_drop
     do
       if [ -f $i ]
         then
---------------------END OF THE PATCH------------------------------


Patch for fb_inet_server and/or fbserver buffer overflow:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------START OF THE PATCH----------------------------
--- src/remote/inet_server.cpp  2004-09-29 12:03:39.000000000 +0200
+++ src/remote/inet_server.cpp.corrected        2005-03-25 14:17:59.698688152 +0100
@@ -32,7 +32,7 @@
  *
  */
 /*
-$Id: inet_server.cpp,v 1.26.2.2 2004/09/29 10:03:39 paul_reeves Exp $
+$Id: inet_server.cpp,v 1.26.2.3 2005/03/23 12:59:25 alexpeshkoff Exp $
 */
 #include "firebird.h"
 #include "../jrd/ib_stdio.h"
@@ -277,7 +277,10 @@
                                        break;

                                case 'P':
-                                       sprintf(protocol, "/%s", *argv++);
+                                       protocol[0] = '/';
+                                       protocol[1] = 0;
+                                       strncat(protocol, *argv++,
+                                               sizeof(protocol) - strlen(protocol) - 1);
                                        break;

                 case 'H':
@@ -407,12 +410,9 @@

 /* before starting the superserver stuff change directory to tmp */
        if (CHANGE_DIR(TEMP_DIR)) {
-               char err_buf[1024];
-
                /* error on changing the directory */
-               sprintf(err_buf, "Could not change directory to %s due to errno %d",
+               gds__log("Could not change directory to %s due to errno %d",
                                TEMP_DIR, errno);
-               gds__log(err_buf);
        }

 /* Server tries to attash to security.fdb to make sure everything is OK
---------------------END OF THE PATCH------------------------------

The fix:
~~~~~~~~

The problems are fixed, in the current 1.5.3 version of the Firebird binary 
distribution.

Thanks
~~~~~~

Thanks to Alex Peshkov, he where very kind and professional.

Timeline:
~~~~~~~~~
      
2005-02-18: Initial contact.
2005-02-11: Contact with Alex Peshkov.
2005-03-25: BOF (and various others) fixed in CVS.
2005-03-25: Wait for ~2 months after the 1.5.3 release.
2006-01-25: Firebird 1.5.3 released.
2006-03-12: Public disclosure.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

  Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es