The message here is for all those who think closed source is better at security than open source - it was in the (closed) code for some time, but became apparent when the code was open-sourced. With enough eyes, all bugs (and security holes) are shallow. jeff "Anthony J. Gabrielson" <[EMAIL PROTECTED]> > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door > Account > > Original release date: January 10, 2001 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > > Systems Affected > > * Borland/Inprise Interbase 4.x and 5.x > * Open source Interbase 6.0 and 6.01 > * Open source Firebird 0.9-3 and earlier > > Overview > > Interbase is an open source database package that had previously been > distributed in a closed source fashion by Borland/Inprise. Both the > open and closed source verisions of the Interbase server contain a > compiled-in back door account with a known password. > > I. Description > > Interbase is an open source database package that is distributed by > Borland/Inprise at http://www.borland.com/interbase/ and on > SourceForge. The Firebird Project, an alternate Interbase package, is > also distributed on SourceForge. The Interbase server for both > distributions contains a compiled-in back door account with a fixed, > easily located plaintext password. The password and account are > contained in source code and binaries previously made available at the > following sites: > > http://www.borland.com/interbase/ > http://sourceforge.net/projects/interbase > http://sourceforge.net/projects/firebird > http://firebird.sourceforge.net > http://www.ibphoenix.com > http://www.interbase2000.com > > This back door allows any local user or remote user able to access > port 3050/tcp [gds_db] to manipulate any database object on the > system. This includes the ability to install trapdoors or other trojan > horse software in the form of stored procedures. In addition, if the > database software is running with root privileges, then any file on > the server's file system can be overwritten, possibly leading to > execution of arbitrary commands as root. > > This vulnerability was not introduced by unauthorized modifications to > the original vendor's source. It was introduced by maintainers of the > code within Borland. The back door account password cannot be changed > using normal operational commands, nor can the account be deleted from > existing vulnerable servers [see References]. > > This vulnerability has been assigned the identifier CAN-2001-0008 by > the Common Vulnerabilities and Exposures (CVE) group: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008 > > The CERT/CC has not received reports of this back door being exploited > at the current time. We do recommend, however, that all affected sites > and redistributors of Interbase products or services follow the > recommendations suggested in Section III, as soon as possible due to > the seriousness of this issue. > > II. Impact > > Any local user or remote user able to access port 3050/tcp [gds_db] > can manipulate any database object on the system. This includes the > ability to install trapdoors or other trojan horse software in the > form of stored procedures. In addition, if the database software is > running with root privileges, then any file on the server's file > system can be overwritten, possibly leading to execution of arbitrary > commands as root. > > III. Solution > > Apply a vendor-supplied patch > > Both Borland and The Firebird Project on SourceForge have published > fixes for this problem. Appendix A contains information provided by > vendors supplying these fixes. We will update the appendix as we > receive more information. If you do not see your vendor's name, the > CERT/CC did not hear from that vendor. Please contact your vendor > directly. > > Users who are more comfortable making their own changes in source code > may find the new code available on SourceForge useful as well: > > http://sourceforge.net/projects/interbase > http://sourceforge.net/projects/firebird > > Block access to port 3050/tcp > > This will not, however, prevent local users or users within a > firewall's adminstrative boundary from accessing the back door > account. In addition, the port the Interbase server listens on may be > changed dynamically at startup. > > Appendix A. Vendor Information > > Borland > > Please see: > > http://www.borland.com/interbase/ > > IBPhoenix > > The Firebird project uncovered serious security problems with > InterBase. The problems are fixed in Firebird build 0.9.4 for all > platforms. If you are running either InterBase V6 or Firebird 0.9.3, > you should upgrade to Firebird 0.9.4. > > These security holes affect all version of InterBase shipped since > 1994, on all platforms. > > For those who can not upgrade, Jim Starkey developed a patch program > that will correct the more serious problems in any version of > InterBase on any platform. IBPhoenix chose to release the program > without charge, given the nature of the problem and our relationship > to the community. > > At the moment, name service is not set up to the machine that is > hosting the patch, so you will have to use the IP number both for the > initial contact and for the ftp download. > > To start, point your browser at > > http://firebird.ibphoenix.com/ > > Apple > > The referenced database package is not packaged with Mac OS X or Mac > OS X Server. > > Fujitsu > > Fujitsu's UXP/V operating system is not affected by this problem > because we don't support the relevant database. > > References > > 1. VU#247371: Borland/Inprise Interbase SQL database server contains > backdoor superuser account with known password CERT/CC, > 01/10/2001, https://www.kb.cert.org/vuls/id/247371 > _________________________________________________________________ > > Author: This document was written by Jeffrey S Havrilla. Feedback on > this advisory is appreciated. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2001-01.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to [EMAIL PROTECTED] Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2001 Carnegie Mellon University. > > Revision History > January 10, 2001: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP for Personal Privacy 5.0 > Charset: noconv > > iQCVAwUBOly/sgYcfu8gsZJZAQF2jwQAiZALQ7P5oxNhWnCGJRMfETtW44WXsXYP > S+38L9onECW7oYXx/m1H1T0dsiy0H2nR7XnE4slFKDSjvdbWu51bqnyx816DzVBL > 8OC8eiIErAWDjPvyHbX7DK8kEPQyvjKdcONQjAeN+27PzCPQzU4xeT9TE5xl1bw+ > EC5k1VaYL1A= > =CfIC > -----END PGP SIGNATURE----- > > > - > Subcription/unsubscription/info requests: send e-mail with > "subscribe", "unsubscribe", or "info" on the first line of the > message body to [EMAIL PROTECTED] (Subject line is ignored). > ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
