Posts

Firebird SQL op_connect_request DoS (Aug 20, 2009)

Firebird is a relational database offering many ANSI SQL standard features that runs on Linux, Windows, and a variety of Unix platforms. It can be run under three different types of architectures: Classic Server, Embedded Server, and Superserver. In typical client/server environments Firebird runs as either Classic Server or Superserver. In Classic Server mode, Firebird creates a separate process for every client connection, each with its own cache. Alternatively running in Superserver mode, Firebird executes as a single process serving all the connections, and using threads to handle requests.

Firebird database server listens on port TCP/3050. All messages transferred through this port are defined as an XDR specification, which defines a common data representation format for remote function calls as bellow:

Offset Type Size Description ------ -------- ---- ----------- 0x0000 xdr_long  4 opcode  0x0004 data	 n depends on the opcode 

The content and length of the data field depends on the opcode. It has been observed that the opcode called op_connect_request(0x00000035) has the following structure:

Offset Type Size Description ------ -------- ---- ----------- 0x0000 xdr_long 4 opcode 0x35 0x0004 xdr_short 2 p_req_type 0x0006 xdr_short 2 p_req_object 0x0008 xdr_long 4 p_req_partner

A denial of service vulnerability exists in Firebird database server when running in Superserver mode. Specifically, the vulnerability is due to an exception handling error when processing op_connect_request(0x35) messages with an overly long data section. An attacker can exploit this issue by sending an op_connect_request message with a large data to cause a denial of service to the Firebird database server. The affected service must be manually restarted.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

  • 4252 Firebird SQL op_connect_request DoS

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2620.