| Subject | Re: [IB-Architect] Security holes... |
|---|---|
| Author | Jan Mikkelsen |
| Post date | 2000-04-02T23:16:11Z |
[Phil Shrimpton wrote on firewalls and database aliases]
While using aliases instead of absolute paths to reference databases
definiely helps, it certainly doesn't give you a secure machine. To attack
an Interbase, port 3050 access is exactly what you are after. Then all you
need is a buffer overflow in Interbase itself or a UDF, and off you go.
I've seen things which could be exploitable (although I didn't really check)
in isc_start_transaction(), and I'm sure there are other bugs. And UDFs
just make life more fun.
A firewall doesn't help much in this case if it just allows the traffic
through. An application level firewall for Interbase has been suggested,
and that is much more likely to be secure. But first, the Interbase
protocol needs to be documented. When do we see the source code again? (I
know, I know, I'll be patient) :-)
Note also that the objective of an attack is unlikely to be reading a
database; it is much more likely to be running some arbitrary code on your
machine in a privileged process. On NT, for example, the default
installation runs Interbase under the LocalSystem account, which makes it a
nice attack target. isc4.gdb, by default is world readable. An attacker
could break a non-privileged account, use it to read isc4.gdb, brute force
the passwords on another machine, login to Interbase, and use an Interbase
buffer overflow to execute arbitrary code. I assume passwords are
transmitted over the wire in the clear, so they could also be sniffed
avoiding the whole "get a copy of isc4.gdb" thing.
Of course, if there are security holes in Interbase before the login takes
place no password is required, and the task is simpler still.
Jan Mikkelsen
janm@...
While using aliases instead of absolute paths to reference databases
definiely helps, it certainly doesn't give you a secure machine. To attack
an Interbase, port 3050 access is exactly what you are after. Then all you
need is a buffer overflow in Interbase itself or a UDF, and off you go.
I've seen things which could be exploitable (although I didn't really check)
in isc_start_transaction(), and I'm sure there are other bugs. And UDFs
just make life more fun.
A firewall doesn't help much in this case if it just allows the traffic
through. An application level firewall for Interbase has been suggested,
and that is much more likely to be secure. But first, the Interbase
protocol needs to be documented. When do we see the source code again? (I
know, I know, I'll be patient) :-)
Note also that the objective of an attack is unlikely to be reading a
database; it is much more likely to be running some arbitrary code on your
machine in a privileged process. On NT, for example, the default
installation runs Interbase under the LocalSystem account, which makes it a
nice attack target. isc4.gdb, by default is world readable. An attacker
could break a non-privileged account, use it to read isc4.gdb, brute force
the passwords on another machine, login to Interbase, and use an Interbase
buffer overflow to execute arbitrary code. I assume passwords are
transmitted over the wire in the clear, so they could also be sniffed
avoiding the whole "get a copy of isc4.gdb" thing.
Of course, if there are security holes in Interbase before the login takes
place no password is required, and the task is simpler still.
Jan Mikkelsen
janm@...