CERTVU:247371Borland/Inprise Interbase SQL database server contains backdoor superuser account with known password
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.03 Low
EPSS
Percentile
90.8%
Overview
Description
Interbase is an open source database package that is distributed by Borland/Inprise. The server contains a compiled-in backdoor account with a known password.
In the following interbase code, references are made about a LOCKSMITH user:
./jrd/dyn.e
./jrd/isc.c
./jrd/jrd.c
./jrd/pwd.c
./jrd/pwd.h
./jrd/scl.e
./jrd/scl.h
./jrd/shut.c
./jrd/tra.c
./utilities/dba_full.e
It turns out the LOCKSMITH is an entity needed to allow “authorized” interaction with the security accounts database between services. This LOCKSMITH is the user account in question compiled into the code with full-access to the security accounts database by default. The compiled-in code can be found in the jrd/pwd.h header which defines the macros in question:
#define LOCKSMITH_USER “politically”
#define LOCKSMITH_PASSWORD “correct”
While it appears the password is transmitted over the wire encrypted, since the password is hard-coded, the security afforded is negligible.
Once the LOCKSMITH account is compromised, the SYSDBA account priviledges can be used to gain control of all database objects (tables, records, fields, stroed procedures, etc). Once database access is gained, user defined functions (UDFs) can be used to implant trojan horses and programs which can be used to gain root (system) privileges on the system hosting the server.
This vulnerability was not introduced by unauthorized modifications to the original vendor’s source. It was introduced by maintainers of the code within Borland. The back door account password can not be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers. The best solution at this time is to upgrade vulnerable binaries and source code with fixes that are being distributed by Borland and the Firebird Project (IBPhoenix).
Impact
This backdoor allows any local user or remote user able to access port 3050/tcp [gds_db] to manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root (*NIX) or System (NT) privileges, then any file on the server’s file system can be overwritten, possibly leading to execution of arbitrary commands as root or System.
Solution
Install the patch being distributed to change the backdoor server account password.
Block access to port 3050/tcp; this will not, however, prevent local users or users within a firewall’s adminstrative boundary from accessing the backdoor account.
Vendor Information
247371
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Borland __ Affected
Notified: December 23, 2000 Updated: January 11, 2001
Status
Affected
Vendor Statement
Please see:
<http://www.borland.com/interbase/downloads/patches.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23247371 Feedback>).
IBPhoenix __ Affected
Notified: December 26, 2001 Updated: January 10, 2001
Status
Affected
Vendor Statement
The Firebird project uncovered serious security problems with InterBase. The problems are fixed in Firebird build 0.9.4 for all platforms. If you are running either InterBase V6 or Firebird 0.9.3, you should upgrade to Firebird 0.9.4.
These security holes affect all version of InterBase shipped since 1994, on all platforms.
For those who can not upgrade, Jim Starkey developed a patch program that will correct the more serious problems in any version of InterBase on any platform. IBPhoenix chose to release the program without charge, given the nature of the problem and our relationship to the community.
At the moment, name service is not set up to the machine that is hosting the patch, so you will have to use the IP number both for the initial contact and for the ftp download.
To start, point your browser at <http://64.55.62.15/>. In the download instructions you receive, replace the (relatively) intelligible string “firebird.ibphoenix.com” with 64.55.62.15.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23247371 Feedback>).
Apple __ Not Affected
Notified: January 09, 2001 Updated: January 10, 2001
Status
Not Affected
Vendor Statement
The referenced database package is not packaged with Mac OS X or Mac OS X Server.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23247371 Feedback>).
Fujitsu __ Not Affected
Notified: January 09, 2001 Updated: January 10, 2001
Status
Not Affected
Vendor Statement
Fujitsu’s UXP/V operating system is not affected by this problem because we don’t support the relevant database.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23247371 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.borland.com/interbase/downloads/patches.html>
- <http://www.borland.com/interbase/>
- <http://community.borland.com/interbase/>
- <http://sourceforge.net/projects/interbase>
- <http://sourceforge.net/projects/firebird>
- <http://sourceforge.net/projects/firebirdashes>
- <http://firebird.sourceforge.net>
- <http://www.ibphoenix.com>
- <http://www.ibphoenix.com/sec1.html>
- <http://firebird.ibphoenix.com>
- <http://www.interbase2000.com>
- <http://sourceforge.net/cvs/?group_id=1962 [Borland Interbase]>
- <http://sourceforge.net/cvs/?group_id=9052 [FirebirdAshes]>
Acknowledgements
This document was written by Jeffrey S Havrilla.
Other Information
| CVE IDs: | CVE-2001-0008 |
|---|---|
| CERT Advisory: | CA-2001-01 Severity Metric: |
References
community.borland.com/interbase/
firebird.ibphoenix.com
firebird.sourceforge.net
sourceforge.net/cvs/?group_id=1962 [Borland Interbase]
sourceforge.net/cvs/?group_id=9052 [FirebirdAshes]
sourceforge.net/projects/firebird
sourceforge.net/projects/firebirdashes
sourceforge.net/projects/interbase
www.borland.com/interbase/
www.borland.com/interbase/downloads/patches.html
www.ibphoenix.com
www.ibphoenix.com/sec1.html
www.interbase2000.com
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.03 Low
EPSS
Percentile
90.8%