Vulnerability Note VU#247371

Borland/Inprise Interbase SQL database server contains backdoor superuser account with known password

Original Release date: 10 Jan 2001 | Last revised: 11 Jan 2001

Overview

Description

Interbase is an open source database package that is distributed by Borland/Inprise. The server contains a compiled-in backdoor account with a known password.

In the following interbase code, references are made about a LOCKSMITH user:

./jrd/dyn.e
./jrd/isc.c
./jrd/jrd.c
./jrd/pwd.c
./jrd/pwd.h
./jrd/scl.e
./jrd/scl.h
./jrd/shut.c
./jrd/tra.c
./utilities/dba_full.e

It turns out the LOCKSMITH is an entity needed to allow "authorized" interaction with the security accounts database between services. This LOCKSMITH is the user account in question compiled into the code with full-access to the security accounts database by default. The compiled-in code can be found in the jrd/pwd.h header which defines the macros in question:

#define LOCKSMITH_USER "politically"
#define LOCKSMITH_PASSWORD "correct"

While it appears the password is transmitted over the wire encrypted, since the password is hard-coded, the security afforded is negligible.

Once the LOCKSMITH account is compromised, the SYSDBA account priviledges can be used to gain control of all database objects (tables, records, fields, stroed procedures, etc). Once database access is gained, user defined functions (UDFs) can be used to implant trojan horses and programs which can be used to gain root (system) privileges on the system hosting the server.

This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password can not be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers. The best solution at this time is to upgrade vulnerable binaries and source code with fixes that are being distributed by Borland and the Firebird Project (IBPhoenix).

Impact

This backdoor allows any local user or remote user able to access port 3050/tcp [gds_db] to manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root (*NIX) or System (NT) privileges, then any file on the server's file system can be overwritten, possibly leading to execution of arbitrary commands as root or System.

Solution

Install the patch being distributed to change the backdoor server account password.

Block access to port 3050/tcp; this will not, however, prevent local users or users within a firewall's adminstrative boundary from accessing the backdoor account.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BorlandAffected23 Dec 200011 Jan 2001
IBPhoenixAffected26 Dec 200110 Jan 2001
AppleNot Affected09 Jan 200110 Jan 2001
FujitsuNot Affected09 Jan 200110 Jan 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Jeffrey S Havrilla.

Other Information

  • CVE IDs: CAN-2001-0008
  • CERT Advisory: CA-2001-01
  • Date Public: 09 Jan 2001
  • Date First Published: 10 Jan 2001
  • Date Last Updated: 11 Jan 2001
  • Severity Metric: 10.94
  • Document Revision: 46

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.