cbcvebase.
CVE-2007-5243
published 2007-10-06

CVE-2007-5243: Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.06%
98.5th percentile
Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.

Affected

18 ranges
VendorProductVersion rangeFixed in
borlandinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase
borland_softwareinterbase

Detection & IOCsextracted from sources · hover to see the quote

port3050/tcp
port3050/tcp
port3050/tcp
processibserver.exe
commandop_create = 20
commandop_attach = 19
bytes
\xe9[-516 packed V]\xeb[-7 packed c]
  • Detect exploit attempts targeting Borland InterBase / Firebird on TCP port 3050 sending an op_create (opcode 20) packet with an oversized length field (length + 16384 extra padding bytes) to trigger isc_create_database() stack buffer overflow.
  • Detect exploit attempts targeting Borland InterBase on TCP port 3050 sending an op_attach (opcode 19) packet with a crafted length of 1152 bytes followed by NOP sled and shellcode to trigger PWD_db_aliased() stack buffer overflow.
  • Flag InterBase/Firebird protocol traffic on TCP/3050 where the database parameter block contains default credentials user='SYSDBA' and password='masterkey' combined with an anomalously large declared packet length.
  • Alert on opcode 0x52 requests to TCP port 3050 targeting ibserver.exe, as this specific opcode is used in the InterBase 2007 SP2 exploit variant.
  • The exploit bad characters are \x00\x2f\x3a\x40\x5c; shellcode in observed payloads will not contain these bytes — use this constraint when writing YARA/Snort rules to match shellcode patterns in TCP/3050 streams.
  • Return address 0x0804cbe4 (pop esi; pop ebp; ret gadget) is hardcoded for Borland InterBase LI-V8.0.0.53, LI-V8.0.0.54, LI-V8.1.0.253 targets; presence of this DWORD in a TCP/3050 payload is a strong exploit indicator.
  • Return address 0x00370b0b is hardcoded for Firebird WI-V2.0.0.12748 / WI-V2.0.1.12855 targets (unicode.nls ROP); presence of this DWORD in a TCP/3050 create-database packet is a strong exploit indicator.
  • ·CVE-2007-5243 may overlap with CVE-2007-5244 and CVE-2008-1910; the NVD entry for CVE-2008-1910 explicitly notes this overlap. Ensure detections are scoped to the correct CVE when triaging alerts.
  • ·The isc_create_database exploit appends 16 KB (1024*16 bytes) of random alpha padding after the NOP sled/payload; packet size thresholds used in detection rules must accommodate this extra_padding to avoid false negatives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.