Original release date: January 10, 2001<BR>
Last revised: January 11, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>
<LI>Borland/Inprise Interbase 4.x and 5.x</LI>
<LI>Open source Interbase 6.0 and 6.01</LI>
<LI>Open source Firebird 0.9-3 and earlier</LI>
</UL>

<A NAME="overview">
<H2>Overview</H2>

<P>Interbase is an open source database package that had previously
been distributed in a closed source fashion by Borland/Inprise. Both
the open and closed source versions of the Interbase server contain
a compiled-in back door account with a known password.


<A NAME="description">
<H2>I. Description</H2>

<P>Interbase is an open source database package that is distributed by
Borland/Inprise at <a
href="http://www.borland.com/interbase/">http://www.borland.com/interbase/</a>
and on <a
href="http://sourceforge.net/projects/interbase">SourceForge</a>. <a
href="http://firebird.sourceforge.net">The Firebird Project</a>, an
alternate Interbase package, is also distributed on <a
href="http://sourceforge.net/projects/firebird ">SourceForge</a>. The
Interbase server for both distributions contains a compiled-in back
door account with a fixed, easily located plaintext password. The
password and account are contained in source code and binaries
previously made available at the following sites:
<BR>
<DD><DL>
<ul>
<li>	<a href="http://www.borland.com/interbase/">http://www.borland.com/interbase/</a>
<li>	<a href="http://sourceforge.net/projects/interbase">http://sourceforge.net/projects/interbase</a>
<li>	<a href="http://sourceforge.net/projects/firebird">http://sourceforge.net/projects/firebird</a>
<li>	<a href="http://firebird.sourceforge.net">http://firebird.sourceforge.net</a>
<li>	<a href="http://www.ibphoenix.com">http://www.ibphoenix.com</a>
<li>	<a href="http://www.interbase2000.com">http://www.interbase2000.com</a>
</ul>
</DL></DD>

<P>This back door allows any local user or remote user able to access
port 3050/tcp [gds_db] to manipulate any database object on the
system. This includes the ability to install trapdoors or other trojan
horse software in the form of stored procedures. In addition, if the
database software is running with root privileges, then any file on
the server's file system can be overwritten, possibly leading to
execution of arbitrary commands as root.

<P>This vulnerability was not introduced by unauthorized modifications
to the original vendor's source. It was introduced by maintainers of
the code within Borland. The back door account password cannot be
changed using normal operational commands, nor can the account be
deleted from existing vulnerable servers [see <a href="#references">References</a>].

<P>This vulnerability has been assigned the identifier CAN-2001-0008 by
the Common Vulnerabilities and Exposures (CVE) group:

<dl>
<dd><A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008</a>
</dd>
</dl>

</p>

<p>The CERT/CC has not received reports of this back door being
exploited at the current time. We do recommend, however, that all
affected sites and redistributors of Interbase products or services
follow the recommendations suggested in <a href="#solution">Section
III</a>, as soon as possible due to the seriousness of this issue.

<A NAME="impact">
<H2>II. Impact</H2>

<P>Any local user or remote user able to access port 3050/tcp [gds_db]
can manipulate any database object on the system. This includes the
ability to install trapdoors or other trojan horse software in the
form of stored procedures. In addition, if the database software is
running with root privileges, then any file on the server's file
system can be overwritten, possibly leading to execution of arbitrary
commands as root.</P>

<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a vendor-supplied patch</H4>

<P>Both Borland and The Firebird Project on SourceForge have published
fixes for this problem. Appendix A contains information provided by
vendors supplying these fixes. We will update the appendix as we
receive more information.  If you do not see your vendor's name, the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.</P>

<P>Users who are more comfortable making their own changes in source
code may find the new code available on SourceForge useful as well:
<BR>
<DD><DL>
<ul>
<li>	<a href="http://sourceforge.net/projects/interbase">http://sourceforge.net/projects/interbase</a>
<li>	<a href="http://sourceforge.net/projects/firebird">http://sourceforge.net/projects/firebird</a>
</ul>
</DL></DD>

<H4>Block access to port 3050/tcp</H4>

<P>This will not, however, prevent local users or users within a
firewall's adminstrative boundary from accessing the back door
account. In addition, the port the Interbase server listens on may be
changed dynamically at startup.</P>

<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>

<A NAME="borland"></a>
<H4>Borland</H4>

<P>Please see:

<DD><DL>
<ul>
<li>	<a href="http://www.borland.com/interbase/downloads/patches.html">http://www.borland.com/interbase/downloads/patches.html</a>
</ul>
</DL></DD>

<!-- end vendor -->



<A NAME="ibphoenix"></a>
<H4>IBPhoenix</H4>

<P>The Firebird project uncovered serious security problems
with InterBase.  The problems are fixed in Firebird build
0.9.4 for all platforms.  If you are running either InterBase
V6 or Firebird 0.9.3, you should upgrade to Firebird 0.9.4.

<P>These security holes affect all version of InterBase shipped
since 1994, on all platforms.

<P>For those who can not upgrade, Jim Starkey developed a patch
program that will correct the more serious problems in any
version of InterBase on any platform.  IBPhoenix chose to
release the program without charge, given the nature of the
problem and our relationship to the community.

<P>At the moment, name service is not set up to the machine
that is hosting the patch, so you will have to use the IP
number both for the initial contact and for the ftp download.

<P>To start, point your browser at 
<BR>

<dl>
<dd><A
HREF="http://firebird.ibphoenix.com/">http://firebird.ibphoenix.com/</a>
</dd>
</dl>

</P>

<!-- end vendor -->

<A NAME="apple">
<H4>Apple</H4>

<P>The referenced database package is not packaged with Mac OS X or
Mac OS X Server.


<!-- end vendor -->

<a name="fujitsu"></a>
<H4>Fujitsu</H4>

<P>Fujitsu's UXP/V operating system is not
affected by this problem because we don't support the relevant
database.

<!-- end vendor -->

<a name="ibm"></a>
<H4>IBM</H4>

<P>IBM's AIX operating system does not incorporate the
Borland Interbase server software.


<!-- end vendor -->



<a name="references"></a>
<H2>References</H2>
<ol>
<A NAME=Ref1></a>
<li><i>VU#247371: Borland/Inprise Interbase SQL database server contains backdoor superuser account with known password</i> CERT/CC, 01/10/2001, <a href="https://www.kb.cert.org/
vuls/id/247371">https://www.kb.cert.org/vuls/id/247371</a></li> 
</ol>


<HR NOSHADE>

<P>Author: This document was written by Jeffrey S Havrilla. 
<A HREF="mailto:cert@cert.org?subject=CA-2001-01%20Feedback%20VU%23247371">
Feedback</A> on this advisory is appreciated.


<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
January 10, 2001:  Initial release
January 11, 2001:  Changed Borland's link to direct one for patches
January 11, 2001:  Added vendor responses for IBM
</PRE>