A remote attacker can check, if a file is present in the system, running firebird server [CORE1312] #1731
Comments
|
Commented by: @AlexPeshkoff Now password validation is done as soon as possible - right after getting database options from DPB. This makes 'bad password' first exception to happen when connecting to server, at the same time making it save a lot of job in case of wrong credentials passed. |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 2.1 Beta 1 [ 10141 ] Fix Version: 2.0.2 [ 10130 ] |
Modified by: @AlexPeshkoffFix Version: 2.1.0 [ 10041 ] Version: 2.1 Alpha 1 [ 10150 ] => Version: 2.1 Initial [ 10160 ] => Version: 1.5.4 [ 10100 ] => Version: 2.0.0 [ 10091 ] => Version: 1.5.3 [ 10028 ] => Version: 1.5.2 [ 10027 ] => Version: 1.5.1 [ 10026 ] => Version: 1.5.0 [ 10025 ] => Version: 1.0.3 [ 10006 ] => Fix Version: 2.1 Beta 1 [ 10141 ] => |
Modified by: @pcisarFix Version: 2.1 Beta 1 [ 10141 ] summary: A remote attacker can check, if a => A remote attacker can check, if a file is present in the system, running firebird server Fix Version: 2.1.0 [ 10041 ] => |
|
Commented by: @pmakowski Are you sure it is solved ? here what I get under Windows with FB2.1.0Beta1 C:\FB21\bin>isql "192.168.1.10:c:\driver\rappin_ch09.pdf" C:\FB21\bin>isql "192.168.1.10:c:\driver\rappin_ch0.pdf" |
|
Commented by: @AlexPeshkoff Pavel, this all makes sense only for attempts to connect by users, not having valid login/password on server. I noticed there are no -u/-p switches, but may be you have correct pair in environment? Next, since 2.1 beta1 trusted authentication also works for windows - i.e. you will be connected to a database with your windows logon as CURRENT_USER if you have logged to the windows server. Please try something like: |
|
Commented by: @pmakowski Sorry Seems I made the bad test If I try to connect from another box, you are right, the bug is solved so I'll close the bug |
|
Commented by: @pmakowski Q/A test made and ok |
Modified by: @pmakowskistatus: Reopened [ 4 ] => Closed [ 6 ] resolution: Fixed [ 1 ] Fix Version: 2.1 Beta 2 [ 10190 ] |
Modified by: @pcisarWorkflow: jira [ 12286 ] => Firebird [ 14788 ] |
Submitted by: @AlexPeshkoff
Is related to QA132
Bug was reported by David Calligaris <mailto:david.calligaris@emaze.net>:
------------------
There is an information disclosure vulnerability in the Firebird 2.0.1
protocol implementation that could allow a remote attacker to check if a
file is present in the remote system. Successfully exploitation of this
vulnerability allows the remote attacker to launch further attacks on
the remote host.
Proof Of Concept:
-----------------
Example of Windows User Enumeration:
<EXAMPLE>
diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\diaul"
Statement failed, SQLCODE = -902
I/O error for file "C:\Documents and Settings\diaul"
-Error while trying to open file
-Access is denied.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\FooBar"
Statement failed, SQLCODE = -902
I/O error for file "C:\Documents and Settings\FooBar"
-Error while trying to open file
-The system cannot find the file specified.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
</EXAMPLE>
You can see there are two different error messages for valid and invalid
resources.
------------------
The reason of a bug is that password validation is done almost in the end of database attach/create calls.
Commits: c76f165 e5f1e63
The text was updated successfully, but these errors were encountered: