Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault in server caused by malformed network packet CVE-2014-9323 [CORE4630] #4944

Closed
firebird-automations opened this issue Dec 1, 2014 · 15 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @ibprovider

Attachments:
crash.cpp

Sending malformed packet to the server (op = op_response with any non-empty status vector data) instead expected op_connect makes server try to write data at NULL address cause NULL pointer to status vector is passed to xdr_status_vector() function. This attack does not require login to server.

All Firebird versions except v3.0 are affected.

Commits: 4db617f 256b95e d310e46 FirebirdSQL/fbt-repository@f588ffa FirebirdSQL/fbt-repository@02cfa8f

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Test program causing server to die.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Attachment: crash.cpp [ 12642 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Link: This issue is related to CORE4629 [ CORE4629 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

reporter: Alexander Peshkov [ alexpeshkoff ] => Kovalenko Dmitry [ _dima_k_ ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Version: 3.0 Beta 1 [ 10332 ]

Version: 3.0 Alpha 2 [ 10560 ]

Version: 3.0 Alpha 1 [ 10331 ]

summary: Segfault in server caused by bad packet => Segfault in server caused by malformed network packet

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Added checks for both status vector overflow and presence

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.1.7 [ 10651 ]

Fix Version: 2.5.3 Update 1 [ 10650 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

Link: This issue is related to CORE4629 [ CORE4629 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

description: Sending malformed packet to the server (op = op_response with any non-empty status vector data) instead expected op_connect makes server try to write data at NULL address cause NULL pointer to status vector is passed to xdr_status_vector() function. This attack does not require login to server. => Sending malformed packet to the server (op = op_response with any non-empty status vector data) instead expected op_connect makes server try to write data at NULL address cause NULL pointer to status vector is passed to xdr_status_vector() function. This attack does not require login to server.

All Firebird versions except v3.0 are affected.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

security: Developers [ 10012 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pmakowski

summary: Segfault in server caused by malformed network packet => Segfault in server caused by malformed network packet CVE-2014-9323

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: No test => Cannot be tested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment