CVE-2007-5243
published 2007-10-06CVE-2007-5243: Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.06%
98.5th percentile
Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| borland | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
| borland_software | interbase | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xe9[-516 packed V]\xeb[-7 packed c]
- →Detect exploit attempts targeting Borland InterBase / Firebird on TCP port 3050 sending an op_create (opcode 20) packet with an oversized length field (length + 16384 extra padding bytes) to trigger isc_create_database() stack buffer overflow. ↗
- →Detect exploit attempts targeting Borland InterBase on TCP port 3050 sending an op_attach (opcode 19) packet with a crafted length of 1152 bytes followed by NOP sled and shellcode to trigger PWD_db_aliased() stack buffer overflow. ↗
- →Flag InterBase/Firebird protocol traffic on TCP/3050 where the database parameter block contains default credentials user='SYSDBA' and password='masterkey' combined with an anomalously large declared packet length. ↗
- →Alert on opcode 0x52 requests to TCP port 3050 targeting ibserver.exe, as this specific opcode is used in the InterBase 2007 SP2 exploit variant. ↗
- →The exploit bad characters are \x00\x2f\x3a\x40\x5c; shellcode in observed payloads will not contain these bytes — use this constraint when writing YARA/Snort rules to match shellcode patterns in TCP/3050 streams. ↗
- →Return address 0x0804cbe4 (pop esi; pop ebp; ret gadget) is hardcoded for Borland InterBase LI-V8.0.0.53, LI-V8.0.0.54, LI-V8.1.0.253 targets; presence of this DWORD in a TCP/3050 payload is a strong exploit indicator. ↗
- →Return address 0x00370b0b is hardcoded for Firebird WI-V2.0.0.12748 / WI-V2.0.1.12855 targets (unicode.nls ROP); presence of this DWORD in a TCP/3050 create-database packet is a strong exploit indicator. ↗
- ·CVE-2007-5243 may overlap with CVE-2007-5244 and CVE-2008-1910; the NVD entry for CVE-2008-1910 explicitly notes this overlap. Ensure detections are scoped to the correct CVE when triaging alerts. ↗
- ·The isc_create_database exploit appends 16 KB (1024*16 bytes) of random alpha padding after the NOP sled/payload; packet size thresholds used in detection rules must accommodate this extra_padding to avoid false negatives. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v8gg-m84r-hhqc: Stack-based buffer overflow in the database service (ibserver
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2008-1910 [CRITICAL] CWE-119 GHSA-v8gg-m84r-hhqc: Stack-based buffer overflow in the database service (ibserver
Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 SP2 allows remote attackers to execute arbitrary code via a malformed opcode 0x52 request to TCP port 3050. NOTE: this might overlap CVE-2007-5243 or CVE-2007-5244.
GHSA
GHSA-cm4p-rvrm-3xfj: Multiple stack-based buffer overflows in Borland InterBase LI 8
ghsa_unreviewed·2022-05-01
CVE-2007-5243 [HIGH] CWE-119 GHSA-cm4p-rvrm-3xfj: Multiple stack-based buffer overflows in Borland InterBase LI 8
Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.
No detection rules found.
Exploit-DB
Firebird Relational Database - 'isc_create_database()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Firebird Relational Database - 'isc_create_database()' Remote Buffer Overflow (Metasploit)
Firebird Relational Database - 'isc_create_database()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: fb_isc_create_database.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Firebird Relational Database isc_create_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted create request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Referenc
Exploit-DB
Borland Interbase - 'PWD_db_aliased()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Borland Interbase - 'PWD_db_aliased()' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'PWD_db_aliased()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ib_pwd_db_aliased.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase PWD_db_aliased() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted attach request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2007-5243' ],
Exploit-DB
Borland Interbase - 'INET_connect()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Borland Interbase - 'INET_connect()' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'INET_connect()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ib_inet_connect.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase INET_connect() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted service attach request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2007-5243' ]
Exploit-DB
Borland Interbase - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Borland Interbase - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ib_isc_attach_database.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase isc_attach_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted attach request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'References' =>
[
[ 'CVE', '2
Exploit-DB
Borland Interbase - 'SVC_attach()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Borland Interbase - 'SVC_attach()' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'SVC_attach()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ib_svc_attach.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase SVC_attach() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted service attach request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'References' =>
[
[ 'CVE', '2007-5243' ],
[ 'OSV
Exploit-DB
Firebird Relational Database - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Firebird Relational Database - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)
Firebird Relational Database - 'isc_attach_database()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: fb_isc_attach_database.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Firebird Relational Database isc_attach_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted create request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Referenc
Exploit-DB
Borland Interbase - 'jrd8_create_database()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Borland Interbase - 'jrd8_create_database()' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'jrd8_create_database()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ib_jrd8_create_database.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase jrd8_create_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted create request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE
Exploit-DB
Firebird Relational Database - 'SVC_attach()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Firebird Relational Database - 'SVC_attach()' Remote Buffer Overflow (Metasploit)
Firebird Relational Database - 'SVC_attach()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: fb_svc_attach.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Firebird Relational Database SVC_attach() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted service attach request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'References' =>
[
[ 'CVE', '
Exploit-DB
Borland Interbase - 'isc_create_database()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-5243 Borland Interbase - 'isc_create_database()' Remote Buffer Overflow (Metasploit)
Borland Interbase - 'isc_create_database()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ib_isc_create_database.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase isc_create_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Borland InterBase
by sending a specially crafted create request.
},
'Version' => '$Revision: 9669 $',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'References' =>
[
[ 'CVE', '2
Exploit-DB
Borland Interbase 2007 - 'PWD_db_aliased' Remote Buffer Overflow (Metasploit)
exploitdb·2007-10-03
CVE-2007-5243 Borland Interbase 2007 - 'PWD_db_aliased' Remote Buffer Overflow (Metasploit)
Borland Interbase 2007 - 'PWD_db_aliased' Remote Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase PWD_db_aliased() Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Borland InterBase
by sending a specially crafted attach request.
},
'Version' => '$Revision$',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2007-5243' ],
[ 'OSVDB', '38607' ],
[ 'BID', '25917' ],
[ 'URL', 'http://www.ris
Exploit-DB
Borland Interbase 2007/2007 SP2 - 'jrd8_create_database' Remote Buffer Overflow (Metasploit)
exploitdb·2007-10-03
CVE-2007-5243 Borland Interbase 2007/2007 SP2 - 'jrd8_create_database' Remote Buffer Overflow (Metasploit)
Borland Interbase 2007/2007 SP2 - 'jrd8_create_database' Remote Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase jrd8_create_database() Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Borland InterBase
by sending a specially crafted create request.
},
'Version' => '$Revision$',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2007-5243' ],
[ 'OSVDB', '38606' ],
[ 'BID', '25917' ],
[ '
Exploit-DB
Borland Interbase 2007/2007 SP2 - 'INET_connect' Remote Buffer Overflow (Metasploit)
exploitdb·2007-10-03
CVE-2007-5243 Borland Interbase 2007/2007 SP2 - 'INET_connect' Remote Buffer Overflow (Metasploit)
Borland Interbase 2007/2007 SP2 - 'INET_connect' Remote Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Borland InterBase INET_connect() Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Borland InterBase
by sending a specially crafted service attach request.
},
'Version' => '$Revision$',
'Author' =>
[
'ramon',
'Adriano Lima ',
],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2007-5243' ],
[ 'OSVDB', '38605' ],
[ 'BID', '25917' ],
[ 'URL', 'h
Metasploit
Borland InterBase INET_connect() Buffer Overflow
metasploit
Borland InterBase INET_connect() Buffer Overflow
Borland InterBase INET_connect() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.
Metasploit
Borland InterBase jrd8_create_database() Buffer Overflow
metasploit
Borland InterBase jrd8_create_database() Buffer Overflow
Borland InterBase jrd8_create_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
Metasploit
Firebird Relational Database SVC_attach() Buffer Overflow
metasploit
Firebird Relational Database SVC_attach() Buffer Overflow
Firebird Relational Database SVC_attach() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.
Metasploit
Borland InterBase SVC_attach() Buffer Overflow
metasploit
Borland InterBase SVC_attach() Buffer Overflow
Borland InterBase SVC_attach() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.
Metasploit
Firebird Relational Database isc_attach_database() Buffer Overflow
metasploit
Firebird Relational Database isc_attach_database() Buffer Overflow
Firebird Relational Database isc_attach_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
Metasploit
Borland InterBase isc_create_database() Buffer Overflow
metasploit
Borland InterBase isc_create_database() Buffer Overflow
Borland InterBase isc_create_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
Metasploit
Borland InterBase PWD_db_aliased() Buffer Overflow
metasploit
Borland InterBase PWD_db_aliased() Buffer Overflow
Borland InterBase PWD_db_aliased() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.
Metasploit
Firebird Relational Database isc_create_database() Buffer Overflow
metasploit
Firebird Relational Database isc_create_database() Buffer Overflow
Firebird Relational Database isc_create_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.
Metasploit
Borland InterBase isc_attach_database() Buffer Overflow
metasploit
Borland InterBase isc_attach_database() Buffer Overflow
Borland InterBase isc_attach_database() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.
No writeups or analysis indexed.
http://osvdb.org/38605http://osvdb.org/38606http://osvdb.org/38607http://osvdb.org/38608http://osvdb.org/38609http://risesecurity.org/advisory/RISE-2007002/http://risesecurity.org/blog/entry/3/http://risesecurity.org/exploit/10/http://risesecurity.org/exploit/12/http://risesecurity.org/exploit/13/http://risesecurity.org/exploit/14/http://risesecurity.org/exploit/15/http://risesecurity.org/exploit/9/http://secunia.com/advisories/27058http://www.securityfocus.com/bid/25917http://www.securitytracker.com/id?1018772http://www.vupen.com/english/advisories/2007/3381https://exchange.xforce.ibmcloud.com/vulnerabilities/36956http://osvdb.org/38605http://osvdb.org/38606http://osvdb.org/38607http://osvdb.org/38608http://osvdb.org/38609http://risesecurity.org/advisory/RISE-2007002/http://risesecurity.org/blog/entry/3/http://risesecurity.org/exploit/10/http://risesecurity.org/exploit/12/http://risesecurity.org/exploit/13/http://risesecurity.org/exploit/14/http://risesecurity.org/exploit/15/http://risesecurity.org/exploit/9/http://secunia.com/advisories/27058http://www.securityfocus.com/bid/25917http://www.securitytracker.com/id?1018772http://www.vupen.com/english/advisories/2007/3381https://exchange.xforce.ibmcloud.com/vulnerabilities/36956
2007-10-06
Published