919549 – (CVE-2013-2492) CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow

Bug 919549 (CVE-2013-2492) - CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow

Summary: CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2013-2492
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	919551 919552
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-08 19:02 UTC by Kurt Seifried
Modified:	2019-09-29 13:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-01 16:18:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2013-03-08 19:02:55 UTC

Spencer McIntyre reports:

The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server. 

Alexander Peshkov adds:

A reason is a bug when extracting a group number from the CNCT info, sent by 
client. Size of received data was not checked. Bug exists from the first most 
days of firebird.

The main irony here is that this group info was never used later in the code, 
and therefore was cleaned up in the trunk. I.e. trunk does not require fixing. 

This is fixed in snapshot builds, build numbers are 26623 for v2.5 and 18514 
for v2.1. Fix available in upstream SVN repository for B2_5_Release branch
(revision 57728).

external references:
http://tracker.firebirdsql.org/browse/CORE-4058

Comment 1 Kurt Seifried 2013-03-08 19:05:48 UTC

Created firebird tracking bugs for this issue

Affects: epel-all [bug 919551]

Comment 2 Jan Lieskovsky 2013-03-15 14:12:31 UTC

Other references:
  https://gist.github.com/zeroSteiner/85daef257831d904479c
  https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/fb_cnct_group.rb

Comment 3 Ramon de C Valle 2013-03-15 17:51:57 UTC

http://tracker.firebirdsql.org/browse/CORE-4058
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702735#10

Comment 4 Ramon de C Valle 2013-03-15 17:53:36 UTC

Index: src/remote/inet.cpp
===================================================================
--- src/remote/inet.cpp	(revision 57727)
+++ src/remote/inet.cpp	(revision 57728)
@@ -1252,7 +1252,7 @@
 		case CNCT_group:
 			{
 				const size_t length = id.getClumpLength();
-				if (length != 0)
+				if (length <= sizeof(eff_gid) && length > 0)
 				{
 					eff_gid = 0;
 					memcpy(&eff_gid, id.getBytes(), length);

Comment 5 Fedora Update System 2013-03-20 21:36:28 UTC

firebird-2.5.2.26539.0-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-03-20 21:43:27 UTC

firebird-2.5.2.26539.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-03-26 16:41:55 UTC

firebird-2.5.2.26539.0-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-03-26 16:46:06 UTC

firebird-2.1.5.18496.0-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.