Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » FreeBSD-SA-01:26 Security Advisory - Interbase

FreeBSD-SA-01:26 Security Advisory - Interbase

by phiber on March 13th, 2001 The interbase software contains a remote backdoor account, which was apparently introduced by the vendor in 1992. The interbase source code has recently been released and is the basis for a derivative project called firebird, who are credited with discovering the vulnerability.

The backdoor account has full read and write access to databases stored on the server, and also gives the ability to write to arbitrary files on the server as the user running the interbase server (usually user root). Remote attackers may connect to the database on TCP port 3050.





The interbase port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.



FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.



Impact


Remote users who can connect to the interbase database server can
obtain full access to all databases using a backdoor account built
into the server itself. This account cannot be disabled.



If you have not chosen to install the interbase port/package, then
your system is not vulnerable to this problem.



Solution

The FreeBSD port of interbase is not provided by Borland -- it is
provided in binary form from Rios Corporation -- and there does not
appear to be a patch available for the security vulnerability.
Therefore there is currently no complete solution to this security
vulnerability; see the previous section for possible workarounds.



Download this advisory for more information, or visit FreeBSD.org for more information.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »