[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Interbase Server Contains Compiled-in Back Door Account

Title: Interbase Server Contains Compiled-in Back Door Account
Released by: CERT
Date: 10th January 2001
Printable version: Click here


-----BEGIN PGP SIGNED MESSAGE-----



CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door

Account



   Original release date: January 10, 2001

   Last revised: --

   Source: CERT/CC



   A complete revision history is at the end of this file.



Systems Affected



     * Borland/Inprise Interbase 4.x and 5.x

     * Open source Interbase 6.0 and 6.01

     * Open source Firebird 0.9-3 and earlier



Overview



   Interbase is an open source database package that had previously been

   distributed in a closed source fashion by Borland/Inprise. Both the

   open and closed source verisions of the Interbase server contain a

   compiled-in back door account with a known password.



I. Description



   Interbase is an open source database package that is distributed by

   Borland/Inprise at http://www.borland.com/interbase/ and on

   SourceForge. The Firebird Project, an alternate Interbase package, is

   also distributed on SourceForge. The Interbase server for both

   distributions contains a compiled-in back door account with a fixed,

   easily located plaintext password. The password and account are

   contained in source code and binaries previously made available at the

   following sites:



          http://www.borland.com/interbase/

          http://sourceforge.net/projects/interbase

          http://sourceforge.net/projects/firebird

          http://firebird.sourceforge.net

          http://www.ibphoenix.com

          http://www.interbase2000.com



   This back door allows any local user or remote user able to access

   port 3050/tcp [gds_db] to manipulate any database object on the

   system. This includes the ability to install trapdoors or other trojan

   horse software in the form of stored procedures. In addition, if the

   database software is running with root privileges, then any file on

   the server's file system can be overwritten, possibly leading to

   execution of arbitrary commands as root.



   This vulnerability was not introduced by unauthorized modifications to

   the original vendor's source. It was introduced by maintainers of the

   code within Borland. The back door account password cannot be changed

   using normal operational commands, nor can the account be deleted from

   existing vulnerable servers [see References].



   This vulnerability has been assigned the identifier CAN-2001-0008 by

   the Common Vulnerabilities and Exposures (CVE) group:



          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008



   The CERT/CC has not received reports of this back door being exploited

   at the current time. We do recommend, however, that all affected sites

   and redistributors of Interbase products or services follow the

   recommendations suggested in Section III, as soon as possible due to

   the seriousness of this issue.



II. Impact



   Any local user or remote user able to access port 3050/tcp [gds_db]

   can manipulate any database object on the system. This includes the

   ability to install trapdoors or other trojan horse software in the

   form of stored procedures. In addition, if the database software is

   running with root privileges, then any file on the server's file

   system can be overwritten, possibly leading to execution of arbitrary

   commands as root.



III. Solution



Apply a vendor-supplied patch



   Both Borland and The Firebird Project on SourceForge have published

   fixes for this problem. Appendix A contains information provided by

   vendors supplying these fixes. We will update the appendix as we

   receive more information. If you do not see your vendor's name, the

   CERT/CC did not hear from that vendor. Please contact your vendor

   directly.



   Users who are more comfortable making their own changes in source code

   may find the new code available on SourceForge useful as well:



          http://sourceforge.net/projects/interbase

          http://sourceforge.net/projects/firebird



Block access to port 3050/tcp



   This will not, however, prevent local users or users within a

   firewall's adminstrative boundary from accessing the back door

   account. In addition, the port the Interbase server listens on may be

   changed dynamically at startup.



Appendix A. Vendor Information



Borland



   Please see:



          http://www.borland.com/interbase/



IBPhoenix



   The Firebird project uncovered serious security problems with

   InterBase. The problems are fixed in Firebird build 0.9.4 for all

   platforms. If you are running either InterBase V6 or Firebird 0.9.3,

   you should upgrade to Firebird 0.9.4.



   These security holes affect all version of InterBase shipped since

   1994, on all platforms.



   For those who can not upgrade, Jim Starkey developed a patch program

   that will correct the more serious problems in any version of

   InterBase on any platform. IBPhoenix chose to release the program

   without charge, given the nature of the problem and our relationship

   to the community.



   At the moment, name service is not set up to the machine that is

   hosting the patch, so you will have to use the IP number both for the

   initial contact and for the ftp download.



   To start, point your browser at



          http://firebird.ibphoenix.com/



Apple



   The referenced database package is not packaged with Mac OS X or Mac

   OS X Server.



Fujitsu



   Fujitsu's UXP/V operating system is not affected by this problem

   because we don't support the relevant database.



References



    1. VU#247371: Borland/Inprise Interbase SQL database server contains

       backdoor superuser account with known password CERT/CC,

       01/10/2001, https://www.kb.cert.org/vuls/id/247371

     _________________________________________________________________



   Author: This document was written by Jeffrey S Havrilla. Feedback on

   this advisory is appreciated.

   ______________________________________________________________________



   This document is available from:

   http://www.cert.org/advisories/CA-2001-01.html

   ______________________________________________________________________



CERT/CC Contact Information



   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890

          U.S.A.



   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.



Using encryption



   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from



   http://www.cert.org/CERT_PGP.key



   If you prefer to use DES, please call the CERT hotline for more

   information.



Getting security information



   CERT publications and other security information are available from

   our web site



   http://www.cert.org/



   To subscribe to the CERT mailing list for advisories and bulletins,

   send email to majordomo@cert.org. Please include in the body of your

   message



   subscribe cert-advisory



   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office.

   ______________________________________________________________________



   NO WARRANTY

   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.

     _________________________________________________________________



   Conditions for use, disclaimers, and sponsorship information



   Copyright 2001 Carnegie Mellon University.



   Revision History

January 10, 2001:  Initial release



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQCVAwUBOly/sgYcfu8gsZJZAQF2jwQAiZALQ7P5oxNhWnCGJRMfETtW44WXsXYP

S+38L9onECW7oYXx/m1H1T0dsiy0H2nR7XnE4slFKDSjvdbWu51bqnyx816DzVBL

8OC8eiIErAWDjPvyHbX7DK8kEPQyvjKdcONQjAeN+27PzCPQzU4xeT9TE5xl1bw+

EC5k1VaYL1A=

=CfIC

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.