-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door Account Original release date: January 10, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Borland/Inprise Interbase 4.x and 5.x * Open source Interbase 6.0 and 6.01 * Open source Firebird 0.9-3 and earlier Overview Interbase is an open source database package that had previously been distributed in a closed source fashion by Borland/Inprise. Both the open and closed source verisions of the Interbase server contain a compiled-in back door account with a known password. I. Description Interbase is an open source database package that is distributed by Borland/Inprise at http://www.borland.com/interbase/ and on SourceForge. The Firebird Project, an alternate Interbase package, is also distributed on SourceForge. The Interbase server for both distributions contains a compiled-in back door account with a fixed, easily located plaintext password. The password and account are contained in source code and binaries previously made available at the following sites: http://www.borland.com/interbase/ http://sourceforge.net/projects/interbase http://sourceforge.net/projects/firebird http://firebird.sourceforge.net http://www.ibphoenix.com http://www.interbase2000.com This back door allows any local user or remote user able to access port 3050/tcp [gds_db] to manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root privileges, then any file on the server's file system can be overwritten, possibly leading to execution of arbitrary commands as root. This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]. This vulnerability has been assigned the identifier CAN-2001-0008 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008 The CERT/CC has not received reports of this back door being exploited at the current time. We do recommend, however, that all affected sites and redistributors of Interbase products or services follow the recommendations suggested in Section III, as soon as possible due to the seriousness of this issue. II. Impact Any local user or remote user able to access port 3050/tcp [gds_db] can manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root privileges, then any file on the server's file system can be overwritten, possibly leading to execution of arbitrary commands as root. III. Solution Apply a vendor-supplied patch Both Borland and The Firebird Project on SourceForge have published fixes for this problem. Appendix A contains information provided by vendors supplying these fixes. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Users who are more comfortable making their own changes in source code may find the new code available on SourceForge useful as well: http://sourceforge.net/projects/interbase http://sourceforge.net/projects/firebird Block access to port 3050/tcp This will not, however, prevent local users or users within a firewall's adminstrative boundary from accessing the back door account. In addition, the port the Interbase server listens on may be changed dynamically at startup. Appendix A. Vendor Information Borland Please see: http://www.borland.com/interbase/ IBPhoenix The Firebird project uncovered serious security problems with InterBase. The problems are fixed in Firebird build 0.9.4 for all platforms. If you are running either InterBase V6 or Firebird 0.9.3, you should upgrade to Firebird 0.9.4. These security holes affect all version of InterBase shipped since 1994, on all platforms. For those who can not upgrade, Jim Starkey developed a patch program that will correct the more serious problems in any version of InterBase on any platform. IBPhoenix chose to release the program without charge, given the nature of the problem and our relationship to the community. At the moment, name service is not set up to the machine that is hosting the patch, so you will have to use the IP number both for the initial contact and for the ftp download. To start, point your browser at http://firebird.ibphoenix.com/ Apple The referenced database package is not packaged with Mac OS X or Mac OS X Server. Fujitsu Fujitsu's UXP/V operating system is not affected by this problem because we don't support the relevant database. References 1. VU#247371: Borland/Inprise Interbase SQL database server contains backdoor superuser account with known password CERT/CC, 01/10/2001, https://www.kb.cert.org/vuls/id/247371 _________________________________________________________________ Author: This document was written by Jeffrey S Havrilla. Feedback on this advisory is appreciated. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History January 10, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOly/sgYcfu8gsZJZAQF2jwQAiZALQ7P5oxNhWnCGJRMfETtW44WXsXYP S+38L9onECW7oYXx/m1H1T0dsiy0H2nR7XnE4slFKDSjvdbWu51bqnyx816DzVBL 8OC8eiIErAWDjPvyHbX7DK8kEPQyvjKdcONQjAeN+27PzCPQzU4xeT9TE5xl1bw+ EC5k1VaYL1A= =CfIC -----END PGP SIGNATURE-----