Recently, the SecureState Research and Innovation team found a critical flaw in the latest, stable releases of Firebird SQL. Firebird SQL is an open source SQL server that can sometimes be found bundled with other software packages. The vulnerability SecureState found is a remotely exploitable stack buffer overflow which can be triggered by an unauthenticated user. The vulnerability occurs when the length of a group identifier field in the CNCT information of data sent by the client is not properly validated. This allows 32 bytes to be written to the stack when only 4 should be allowed. The result leads to overwriting a critical pointer which is later used to read a function pointer.
As part of their vulnerability disclosure policy, SecureState contacted the Firebird development team and opened issue CORE-4058 to describe the vulnerability. SecureState provided brief technical details and proof of concept code which would trigger a denial of service condition to demonstrate the flaw. The Firebird development team informed SecureState that the flaw is in code that parses group identifier information, which is not used in the later logic of the application. Due to this, the vulnerable section of code was removed in the latest revision, which currently is only available in the trunk. At the time of this writing, the latest stable versions are 2.1.5 and 2.5.2, which are confirmed to be vulnerable. The only patched versions available are still considered unstable, and do not yet have installation packages available for download.
SecureState is releasing an exploit module for this vulnerability for the popular Metasploit Framework. The exploit itself has targets for the latest version 2.5.2 as well as a several older versions, such as 2.5.1 and 2.1.5. The exploit has been successfully tested on multiple 32-bit installations of Firebird SQL on both 32 and 64 bit versions of Windows including Server 2008, Windows 7, and Server 2003.
Original Notice and DoS PoC