Lucene search

K
openvasCopyright (C) 2010 Greenbone AGOPENVAS:1361412562310100792
HistorySep 08, 2010 - 12:00 a.m.

Firebird Default Credentials (Firebird Protocol)

2010-09-0800:00:00
Copyright (C) 2010 Greenbone AG
plugins.openvas.org
43

7.4 High

AI Score

Confidence

Low

It is possible to connect to the remote database service using default
credentials.

# SPDX-FileCopyrightText: 2010 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.100792");
  script_version("2023-07-28T16:09:07+0000");
  script_tag(name:"last_modification", value:"2023-07-28 16:09:07 +0000 (Fri, 28 Jul 2023)");
  script_tag(name:"creation_date", value:"2010-09-08 15:41:05 +0200 (Wed, 08 Sep 2010)");
  script_tag(name:"cvss_base", value:"9.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:P/A:P");
  script_name("Firebird Default Credentials (Firebird Protocol)");
  script_category(ACT_ATTACK);
  script_family("Default Accounts");
  script_copyright("Copyright (C) 2010 Greenbone AG");
  script_dependencies("remote-detect-firebird.nasl", "gb_default_credentials_options.nasl");
  script_require_ports("Services/gds_db", 3050);
  script_mandatory_keys("firebird_db/installed");
  script_exclude_keys("default_credentials/disable_default_account_checks");

  script_tag(name:"solution", value:"Change the default password by using the gsec management tool.");

  script_tag(name:"summary", value:"It is possible to connect to the remote database service using default
  credentials.");

  script_tag(name:"insight", value:"The remote Firebird Server uses default credentials (SYSDBA/masterkey).");

  script_tag(name:"impact", value:"An attacker may use this flaw to execute commands against the remote host,
  as well as read your database content.");

  script_xref(name:"URL", value:"http://www.firebirdsql.org/manual/qsg2-config.html#qsg2-config-security");

  script_tag(name:"qod_type", value:"exploit");
  script_tag(name:"solution_type", value:"Mitigation");

  exit(0);
}

if(get_kb_item("default_credentials/disable_default_account_checks"))
  exit(0);

include("misc_func.inc");
include("port_service_func.inc");

port = service_get_port(proto:"gds_db", default:3050);

soc = open_sock_tcp(port);
if(!soc)exit(0);

firebird_auth_packet   = raw_string(
0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x13,0x00,0x00,0x00,0x02,0x00,
0x00,0x00,0x24,0x00,0x00,0x00,0x1c,0x2f,0x6f,0x70,0x74,0x2f,0x66,
0x69,0x72,0x65,0x62,0x69,0x72,0x64,0x2f,0x62,0x69,0x6e,0x2f,0x6c,
0x65,0x67,0x69,0x6f,0x6e,0x2e,0x66,0x64,0x62,0x00,0x00,0x00,0x02,
0x00,0x00,0x00,0x17,0x01,0x04,0x72,0x6f,0x6f,0x74,0x04,0x09,0x63,
0x68,0x72,0x69,0x73,0x74,0x69,0x61,0x6e,0x05,0x04,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x02,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x0a,
0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x03,0x00,
0x00,0x00,0x04);

send(socket:soc, data:firebird_auth_packet);
response = recv(socket:soc, length:1024);

if(!isnull(response) && strlen(response) == 16 && "030000000a0000000100000003" >< hexstr(response)) {

  p = raw_string(
                 0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x20,0x00,0x00,0x00,
                 0x00,0x00,0x00,0x14,0x01,0x1c,0x06,0x53,0x59,0x53,0x44,0x42,0x41,0x1d,0x09,0x6d,
                 0x61,0x73,0x74,0x65,0x72,0x6b,0x65,0x79);

  send(socket:soc, data:p);
  r = recv(socket:soc, length:1024);
  close(soc);

  if(strlen(r) >= 16 && "CreateFile" >< r) {
    security_message(port:port);
    exit(0);
  }

}

exit(99);

7.4 High

AI Score

Confidence

Low