> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of TSRT@xxxxxxxx
> Sent: Wednesday, July 25, 2007 12:44 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx;
> vulndiscuss@xxxxxxxxxxxxx
> Subject: [Full-disclosure] TPTI-07-13: Borland Interbase
> ibserver.exe Create-Request Buffer Overflow Vulnerability
>
> TPTI-07-13: Borland Interbase ibserver.exe Create-Request Buffer
> Overflow Vulnerability
> http://dvlabs.tippingpoint.com/advisory/TPTI-07-13
> http://dvlabs.tippingpoint.com/blog/1024/Step-by-Step-of-Discovery
>
> July 24, 2007
>
> -- CVE ID:
> CVE-2007-3566
>
> -- Affected Vendor:
> Borland
>
> -- Affected Products:
> Borland InterBase 2007
>
> -- TippingPoint(TM) IPS Customer Protection:
> TippingPoint IPS customers have been protected against this
> vulnerability since February 1, 2007 by Digital Vaccine protection
> filter ID 5066. For further product information on the
> TippingPoint IPS:
>
> http://www.tippingpoint.com
>
> -- Vulnerability Details:
> This vulnerability allows remote attackers to execute
> arbitrary code on
> vulnerable installations of Borland Interbase. Authentication is not
> required to exploit this vulnerability.
>
> The specific flaw exists within the database service, ibserver.exe,
> which binds to TCP port 3050. The service receives socket data in the
> following format:
>
> [4-byte request][request arguments][data]
>
> A vulnerability exists in Interbase when specifying a "create" request
> (0x14). The request is broken down as such:
>
> [0x00000014][4-byte id][4-byte size][data]
>
> The vulnerability exists during an inline string copy operation.
>
> 0x0043A0C5 mov ecx, [ebp+var_8D8]
> 0x0043A0CB and ecx, 0FFFFh
> 0x0043A0D1 mov esi, [ebp+arg_8]
> 0x0043A0D4 mov edi, [ebp+var_1C]
> 0x0043A0D7 mov eax, ecx
> 0x0043A0D9 shr ecx, 2
> 0x0043A0DC rep movsd
>
> Where ecx is our 4-byte size, esi is our data, and edi a
> stack pointer.
> When a large value is specified in the size, the associate data is
> copied to the stack resulting in a classic overflow. With enough data
> the SEH pointer can be compromised and arbitrary code execution is
> trivial.
>
> -- Vendor Response:
> Borland has released InterBase 2007 SP2 which addresses this
> vulnerability. More details can be found at:
>
> http://www.codegear.com/downloads/regusers/interbase
>
>
> -- Disclosure Timeline:
> 2007.01.31 - Vulnerability reported to vendor
> 2007.02.01 - Digital Vaccine released to TippingPoint customers
> 2007.07.24 - Coordinated public release of advisory
>
> -- Credit:
> This vulnerability was discovered by Cody Pierce, TippingPoint DVLabs.
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any
> attachments,
> is being sent by 3Com for the sole use of the intended
> recipient(s) and
> may contain confidential, proprietary and/or privileged information.
> Any unauthorized review, use, disclosure and/or distribution by any
> recipient is prohibited. If you are not the intended
> recipient, please
> delete and/or destroy all copies of this message regardless
> of form and
> any included attachments and notify 3Com immediately by contacting the
> sender via reply e-mail or forwarding to 3Com at postmaster@xxxxxxxxx
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>