cbcvebase.
CVE-2008-0387
published 2008-01-29

CVE-2008-0387: Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 RC1 might allow remote attackers to execute…

PriorityP261high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
45.87%
98.7th percentile
Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 RC1 might allow remote attackers to execute arbitrary code via crafted (1) op_receive, (2) op_start, (3) op_start_and_receive, (4) op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR requests, which triggers memory corruption.

Affected

4 ranges
VendorProductVersion rangeFixed in
firebirdsqlfirebird<= 1.0.3
firebirdsqlfirebird
firebirdsqlfirebird>= 1.5 < 1.5.61.5.6
firebirdsqlfirebird>= 2.0.0 < 2.0.42.0.4

Detection & IOCsextracted from sources · hover to see the quote

otherop_receive XDR request (malformed/oversized)
bytes
\x00\x00\x00\x4a followed by 3000 bytes of \x4a
  • Detect oversized or malformed XDR protocol messages targeting Firebird SQL on its default port (3050/tcp); specifically look for op_receive, op_start, op_start_and_receive, op_send, op_start_and_send, and op_start_send_and_receive operation codes with anomalous integer field values indicative of integer overflow.
  • Inspect Firebird connect packets for large repeated byte patterns (e.g., 3000+ bytes of 0x4a) following the XDR length field 0x0000004a, which is the exploit payload pattern used in the published PoC.
  • The vulnerability resides in protocol.cpp within the XDR request handling code; monitor for crashes or memory corruption in the Firebird process (fbserver/fbguard) following receipt of XDR-encoded p_data messages.
  • ·Affected versions are Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 RC1; detections should be scoped to these versions and patched instances deprioritized.
  • ·Failed exploit attempts manifest as a denial-of-service condition rather than code execution, so process crashes on Firebird should also be treated as potential exploitation indicators.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.