FYI,
CERT Advisory CA-2001-01 Interbase Server Contains
Compiled-in Back Door
Account
Original release date: January 10, 2001 Last revised: -- Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Borland/Inprise Interbase 4.x and 5.x * Open source Interbase 6.0 and 6.01 * Open source Firebird 0.9-3 and
earlier
Overview
Interbase is an open source database package that had
previously been distributed in a closed source fashion by
Borland/Inprise. Both the open and closed source verisions of the Interbase server
contain a compiled-in back door account with a known password.
I. Description
Interbase is an open source database package that is
distributed by Borland/Inprise at http://www.borland.com/interbase/ and
on SourceForge. The Firebird Project, an alternate Interbase
package, is also distributed on SourceForge. The Interbase server for
both distributions contains a compiled-in back door account
with a fixed, easily located plaintext password. The password and
account are contained in source code and binaries previously made
available at the following sites:
http://www.borland.com/interbase/ http://sourceforge.net/projects/interbase
http://sourceforge.net/projects/firebird http://firebird.sourceforge.net http://www.ibphoenix.com
http://www.interbase2000.com
This back door allows any local user or remote user able
to access port 3050/tcp [gds_db] to manipulate any database object
on the system. This includes the ability to install trapdoors or
other trojan horse software in the form of stored procedures. In
addition, if the database software is running with root privileges, then
any file on the server's file system can be overwritten, possibly
leading to execution of arbitrary commands as root.
This vulnerability was not introduced by unauthorized
modifications to the original vendor's source. It was introduced by
maintainers of the code within Borland. The back door account password
cannot be changed using normal operational commands, nor can the account be
deleted from existing vulnerable servers [see References].
This vulnerability has been assigned the identifier
CAN-2001-0008 by the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008
The CERT/CC has not received reports of this back door
being exploited at the current time. We do recommend, however, that all
affected sites and redistributors of Interbase products or services
follow the recommendations suggested in Section III, as soon as
possible due to the seriousness of this issue.
II. Impact
Any local user or remote user able to access port
3050/tcp [gds_db] can manipulate any database object on the system. This
includes the ability to install trapdoors or other trojan horse
software in the form of stored procedures. In addition, if the database
software is running with root privileges, then any file on the
server's file system can be overwritten, possibly leading to execution
of arbitrary commands as root.
III. Solution
Apply a vendor-supplied patch
Both Borland and The Firebird Project on SourceForge have
published fixes for this problem. Appendix A contains information
provided by vendors supplying these fixes. We will update the
appendix as we receive more information. If you do not see your vendor's
name, the CERT/CC did not hear from that vendor. Please contact
your vendor directly.
Users who are more comfortable making their own changes
in source code may find the new code available on SourceForge useful as
well:
http://sourceforge.net/projects/interbase http://sourceforge.net/projects/firebird
Block access to port 3050/tcp
This will not, however, prevent local users or users
within a firewall's adminstrative boundary from accessing the back
door account. In addition, the port the Interbase server
listens on may be changed dynamically at startup.
Appendix A. Vendor Information
Borland
Please see:
http://www.borland.com/interbase/
IBPhoenix
The Firebird project uncovered serious security problems
with InterBase. The problems are fixed in Firebird build 0.9.4
for all platforms. If you are running either InterBase V6 or
Firebird 0.9.3, you should upgrade to Firebird 0.9.4.
These security holes affect all version of InterBase
shipped since 1994, on all platforms.
For those who can not upgrade, Jim Starkey developed a
patch program that will correct the more serious problems in any
version of InterBase on any platform. IBPhoenix chose to release the
program without charge, given the nature of the problem and our
relationship to the community.
At the moment, name service is not set up to the machine
that is hosting the patch, so you will have to use the IP number
both for the initial contact and for the ftp download.
To start, point your browser at
http://firebird.ibphoenix.com/
Apple
The referenced database package is not packaged with Mac
OS X or Mac OS X Server.
Fujitsu
Fujitsu's UXP/V operating system is not affected by this
problem because we don't support the relevant database.
References
1. VU#247371: Borland/Inprise Interbase SQL database
server contains backdoor superuser account with known password
CERT/CC, 01/10/2001, https://www.kb.cert.org/vuls/id/247371
_________________________________________________________________
Author: This document was written by Jeffrey S Havrilla.
Feedback on this advisory is appreciated.
______________________________________________________________________
This document is available from: http://www.cert.org/advisories/CA-2001-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal
address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University
Pittsburgh PA 15213-3890 U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5)
/ EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information
sent by email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline
for more information.
Getting security information
CERT publications and other security information are
available from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in the
body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in
the U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY Any material furnished by Carnegie Mellon University and
the Software Engineering Institute is furnished on an "as is" basis.
Carnegie Mellon University makes no warranties of any kind, either
expressed or implied as to any matter including, but not limited to,
warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie
Mellon University does not make any warranty of any kind with respect to
freedom from patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship
information
Copyright 2001 Carnegie Mellon University.