CVE-2007-3566
published 2007-07-26CVE-2007-3566: Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 before SP2 allows remote attackers to execute arbitrary code via a…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.08%
99.2th percentile
Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 before SP2 allows remote attackers to execute arbitrary code via a long size value in a create request to port 3050/tcp.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| borland_software | interbase | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x14\x00\x00\x00\x13
- →Detect exploit attempts by monitoring for TCP connections to port 3050 containing the magic packet header bytes \x00\x00\x00\x14\x00\x00\x00\x13 followed by an anomalously large payload (>1266 bytes of alphanumeric data). ↗
- →Alert on unusually large create-request packets sent to ibserver.exe on port 3050/tcp; the exploit appends ~40000 bytes of padding after the payload. ↗
- →The exploit uses AlphanumUpper-encoded shellcode with a stack-adjustment prepend encoder (\x81\xc4\xff\xef\xff\xff\x44); look for this byte sequence in payloads destined for port 3050. ↗
- →Monitor ibserver.exe for unexpected child process creation or thread injection, as the exploit uses EXITFUNC=thread to maintain stability after exploitation. ↗
- ·The RET address (0x1002e556 in sanctuarylib.dll) and buffer offset (1266 bytes) are specific to Windows 2000 English All with Borland InterBase 2007; exploitation against other OS versions or patch levels will require different values. ↗
- ·The vulnerability is patched in Borland InterBase 2007 SP2 and later; detection rules targeting ibserver.exe should be scoped to pre-SP2 deployments. ↗
- ·The payload space is limited to 850 bytes and null bytes (\x00) are bad characters, constraining the shellcode that can be delivered. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Borland Interbase - 'Create-Request' Remote Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2007-3566 Borland Interbase - 'Create-Request' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'Create-Request' Remote Buffer Overflow (Metasploit)
---
##
# $Id: borland_interbase.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland Interbase Create-Request Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland Interbase 2007.
By sending a specially crafted create-request packet, a remote
attacker may be able to execute arbitrary code.
},
'Author' => 'MC',
'Version' => '$Revision: 9525 $',
'References' =>
[
[ 'CVE', '2007-3566' ],
[ 'O
Metasploit
Borland Interbase Create-Request Buffer Overflow
metasploit
Borland Interbase Create-Request Buffer Overflow
Borland Interbase Create-Request Buffer Overflow
This module exploits a stack buffer overflow in Borland Interbase 2007. By sending a specially crafted create-request packet, a remote attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://dvlabs.tippingpoint.com/advisory/TPTI-07-13http://dvlabs.tippingpoint.com/blog/2007/07/24/step-by-step-of-how-tpti-07-013-was-discoveredhttp://osvdb.org/38602http://secunia.com/advisories/26189http://securityreason.com/securityalert/2929http://www.codegear.com/downloads/regusers/interbasehttp://www.securityfocus.com/archive/1/474561/100/0/threadedhttp://www.securityfocus.com/bid/25048http://www.securitytracker.com/id?1018451http://www.vupen.com/english/advisories/2007/2642https://exchange.xforce.ibmcloud.com/vulnerabilities/35574http://dvlabs.tippingpoint.com/advisory/TPTI-07-13http://dvlabs.tippingpoint.com/blog/2007/07/24/step-by-step-of-how-tpti-07-013-was-discoveredhttp://osvdb.org/38602http://secunia.com/advisories/26189http://securityreason.com/securityalert/2929http://www.codegear.com/downloads/regusers/interbasehttp://www.securityfocus.com/archive/1/474561/100/0/threadedhttp://www.securityfocus.com/bid/25048http://www.securitytracker.com/id?1018451http://www.vupen.com/english/advisories/2007/2642https://exchange.xforce.ibmcloud.com/vulnerabilities/35574
2007-07-26
Published