dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


CERT Advisory: Interbase and Firebird

Jan 11, 2001, 08:03 (5 Talkback[s])
Date: Wed, 10 Jan 2001 15:11:10 -0500 (EST)
From: CERT Advisory 
To: cert-advisory@cert.org
Organization: CERT(R) Coordination Center - +1 412-268-7090
Subject: CERT Advisory CA-2001-01


-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back
 Door Account

   Original release date: January 10, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Borland/Inprise Interbase 4.x and 5.x
     * Open source Interbase 6.0 and 6.01
     * Open source Firebird 0.9-3 and earlier

Overview

   Interbase is an open source database package that had previously
 been distributed in a closed source fashion by Borland/Inprise. Both
 the open and closed source verisions of the Interbase server contain
 a compiled-in back door account with a known password.

I. Description

   Interbase is an open source database package that is distributed
 by Borland/Inprise at http://www.borland.com/interbase/ and on
 SourceForge. The Firebird Project, an alternate Interbase package,
 is also distributed on SourceForge. The Interbase server for both
 distributions contains a compiled-in back door account with a fixed,
 easily located plaintext password. The password and account are
 contained in source code and binaries previously made available at
 the following sites:

          http://www.borland.com/interbase/
          http://sourceforge.net/projects/interbase
          http://sourceforge.net/projects/firebird
          http://firebird.sourceforge.net
          http://www.ibphoenix.com
          http://www.interbase2000.com

   This back door allows any local user or remote user able to access
   port 3050/tcp [gds_db] to manipulate any database object on the
   system. This includes the ability to install trapdoors or other
 trojan horse software in the form of stored procedures. In addition,
 if the database software is running with root privileges, then any
 file on the server's file system can be overwritten, possibly
 leading to execution of arbitrary commands as root.

   This vulnerability was not introduced by unauthorized
 modifications to the original vendor's source. It was introduced by
 maintainers of the code within Borland. The back door account
 password cannot be changed using normal operational commands, nor
 can the account be deleted from existing vulnerable servers [see
 References].

   This vulnerability has been assigned the identifier CAN-2001-0008
 by the Common Vulnerabilities and Exposures (CVE) group:

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008

   The CERT/CC has not received reports of this back door being
 exploited at the current time. We do recommend, however, that all
 affected sites and redistributors of Interbase products or services
 follow the recommendations suggested in Section III, as soon as
 possible due to the seriousness of this issue.

II. Impact

   Any local user or remote user able to access port 3050/tcp
 [gds_db] can manipulate any database object on the system. This
 includes the ability to install trapdoors or other trojan horse
 software in the form of stored procedures. In addition, if the
 database software is running with root privileges, then any file on
 the server's file system can be overwritten, possibly leading to
 execution of arbitrary commands as root.

III. Solution

Apply a vendor-supplied patch

   Both Borland and The Firebird Project on SourceForge have
 published fixes for this problem. Appendix A contains information
 provided by vendors supplying these fixes. We will update the
 appendix as we receive more information. If you do not see your
 vendor's name, the CERT/CC did not hear from that vendor. Please
 contact your vendor directly.

   Users who are more comfortable making their own changes in source
 code may find the new code available on SourceForge useful as well:

          http://sourceforge.net/projects/interbase
          http://sourceforge.net/projects/firebird

Block access to port 3050/tcp

   This will not, however, prevent local users or users within a
   firewall's adminstrative boundary from accessing the back door
   account. In addition, the port the Interbase server listens on may
 be changed dynamically at startup.

Appendix A. Vendor Information

Borland

   Please see:

          http://www.borland.com/interbase/

IBPhoenix

   The Firebird project uncovered serious security problems with
   InterBase. The problems are fixed in Firebird build 0.9.4 for all
   platforms. If you are running either InterBase V6 or Firebird
 0.9.3, you should upgrade to Firebird 0.9.4.

   These security holes affect all version of InterBase shipped since
   1994, on all platforms.

   For those who can not upgrade, Jim Starkey developed a patch
 program that will correct the more serious problems in any version
 of InterBase on any platform. IBPhoenix chose to release the program
 without charge, given the nature of the problem and our relationship
 to the community.

   At the moment, name service is not set up to the machine that is
   hosting the patch, so you will have to use the IP number both for
 the initial contact and for the ftp download.

   To start, point your browser at

          http://firebird.ibphoenix.com/

Apple

   The referenced database package is not packaged with Mac OS X or
 Mac OS X Server.

Fujitsu

   Fujitsu's UXP/V operating system is not affected by this problem
   because we don't support the relevant database.

References

    1. VU#247371: Borland/Inprise Interbase SQL database server
 contains backdoor superuser account with known password CERT/CC,
 01/10/2001, https://www.kb.cert.org/vuls/id/247371
    
 _________________________________________________________________

   Author: This document was written by Jeffrey S Havrilla. Feedback
 on this advisory is appreciated.
  
 ____________________________________________________________________
__

   This document is available from:
   http://www.cert.org/advisories/CA-2001-01.html
  
 ____________________________________________________________________
__

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
 EDT(GMT-4) Monday through Friday; they are on call for emergencies
 during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by
 email. Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available
 from our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and
 bulletins, send email to majordomo@cert.org. Please include in the
 body of your message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
  
 ____________________________________________________________________
__

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the
 Software Engineering Institute is furnished on an "as is" basis.
 Carnegie Mellon University makes no warranties of any kind, either
 expressed or implied as to any matter including, but not limited to,
 warranty of fitness for a particular purpose or merchantability,
 exclusivity or results obtained from use of the material. Carnegie
 Mellon University does not make any warranty of any kind with
 respect to freedom from patent, trademark, or copyright
 infringement.
    
 _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
January 10, 2001:  Initial release

Related Stories: