SRP authentication is vulnerable to SQL attacks because its metadata is not
system objects
------------------------------------------------------------------------------------------
Key: CORE-6409
URL: http://tracker.firebirdsql.org/browse/CORE-6409
Project: Firebird Core
Issue Type: Bug
Affects Versions: 3.0.6, 3.0.7
Environment: Windows 10 (x64) Version 2004
Firebird 3.0.7.33365 (snapshot)
Reporter: Luciano Mendes
Priority: Critical
ACTUAL RESULT
- SRP authentication is vulnerable to SQL attacks because its metadata is not
system objects.
- Any user with permissions to create tables technically could, through SQL
commands, attack the SRP plugin metadata (PLG$SRP table and PLG$SRP_VIEW view).
- Error on creating a SRP user because the SRP plugin metadata (PLG$SRP table
and PLG$SRP_VIEW view) are not considered as reserved (system objects).
- The following issue happen when it is tried to create the SYSDBA user inside
the database using the SRP plugin where a PLG$SRP table and a PLG$SRP_VIEW view
that does not match with the native Firebird 3.0 SRP plugin metadata already
exists:
Database: TEST, User: SYSDBA
SQL> Statement failed, SQLSTATE = 42S22
no operation specified
-Dynamic SQL Error
-SQL error code = -206
-Column unknown
-PLG$SRP_VIEW.PLG$USER_NAME
-At line 1, column 328
SQL>
EXPECTED RESULT
- SRP authentication should NOT be vulnerable to SQL attacks.
- No user with permission to create tables in the database could have
permission to create/edit the SRP plugin metadata (PLG$SRP table and
PLG$SRP_VIEW view).
- The SRP plugin metadata (PLG$SRP table and PLG$SRP_VIEW view) should be
considered as reserved (system objects) because the user should NOT be able to
create/edit the PLG$SRP table and the PLG$SRP_VIEW view in the database.
- The SRP is a native plugin for Firebird 3.0 and its metadata (PLG$SRP table
and PLG$SRP_VIEW view) should work like MON$, RDB$ and SEC$ tables (system
objects).
- The PLG$SRP table, the PLG$SRP_VIEW view and all its permissions should be
created automatically as reserved (system objects) when a Firebird 3.0 (ODS 12)
database is created.
STEPS TO REPRODUCE THE ISSUE
1- Make sure that the FirebirdSQL 3.0 service is NOT running:
net stop FirebirdServerDefaultInstance
2- Run the following command to create the TEST database:
ECHO SET SQL DIALECT 3;CREATE DATABASE 'TEST' PAGE_SIZE 8192 DEFAULT
CHARACTER SET WIN1252; | "C:\Program Files\Firebird\Firebird_3_0\isql.exe"
-user SYSDBA
3- Run the following command to create a PLG$SRP table and a PLG$SRP_VIEW view
that does not match with the native Firebird 3.0 SRP plugin metadata:
ECHO CREATE TABLE PLG$SRP (ID BIGINT);COMMIT;CREATE VIEW PLG$SRP_VIEW (ID)
AS SELECT ID FROM PLG$SRP;COMMIT; | "C:\Program
Files\Firebird\Firebird_3_0\isql.exe" -user SYSDBA "TEST"
4- Run the following command to create the SYSDBA user inside the TEST database
using the SRP plugin:
ECHO CREATE OR ALTER USER SYSDBA SET PASSWORD 'masterkey' USING PLUGIN
SRP;COMMIT; | "C:\Program Files\Firebird\Firebird_3_0\isql.exe" -user SYSDBA
"TEST"
OTHER INFORMATION
- Please see the "[firebird-support] Firebird 3.0 - About PLG$SRP table and
PLG$SRP_VIEW view" discussion on firebird-supp...@googlegroups.com.
ENVIRONMENT SETUP
firebird.conf
============================================
#SETUP
UserManager = Srp, Legacy_UserManager
WireCrypt = Enabled
databases.conf
============================================
TEST = D:\APPLICATIONS\LURONUMEN\DB\TEST.FDB
{
AuthServer = Srp
SecurityDatabase = TEST
UserManager = Srp
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
