cbcvebase.
CVE-2013-2492
published 2013-03-15

CVE-2013-2492: Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute…

PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
42.17%
98.5th percentile
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information.

Affected

6 ranges
VendorProductVersion rangeFixed in
firebirdsqlfirebird
firebirdsqlfirebird
firebirdsqlfirebird
firebirdsqlfirebird
firebirdsqlfirebird
firebirdsqlfirebird

Detection & IOCsextracted from sources · hover to see the quote

port3050/tcp
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/fb_cnct_group.rb
urlhttps://gist.github.com/zeroSteiner/85daef257831d904479c
pathmodules/exploits/windows/misc/fb_cnct_group.rb
bytes
\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24\x00\x00\x00\x14
bytes
\x05\x20
bytes
\x15\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e
bytes
\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20
  • Monitor for inbound TCP connections to port 3050 (Firebird default) carrying oversized CNCT group number fields — the exploit sends a crafted CNCT info packet where the group number length is not bounded, triggering a stack-based buffer overflow.
  • Detect exploit packets by looking for the byte sequence \x05\x20 followed by ROP chain data within a Firebird CNCT connection request on TCP/3050; this marks the CNCT_group tag with an oversized length field.
  • The exploit payload prepend stub mov eax,fs:[0x18] / add eax,8 / mov esp,[eax] (bytes \x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20) is used as a stack-pivot trampoline; detecting this byte sequence in network data on TCP/3050 is a strong indicator of exploitation.
  • The exploit uses a two-phase stack pivot and ROP chain to call VirtualAlloc for DEP bypass; look for fbserver.exe spawning unexpected child processes or making VirtualAlloc calls from non-image memory regions.
  • The exploit is unauthenticated — any connection to TCP/3050 from an untrusted source that does not complete a normal Firebird authentication handshake but sends CNCT info with a large group number field should be treated as suspicious.
  • The Metasploit module uses EXITFUNC=seh, meaning post-exploitation shellcode exits via a structured exception handler; look for SEH chain manipulation in fbserver.exe crash telemetry.
  • ·The exploit only targets Windows builds of Firebird; the vulnerable code path (CNCT_group extraction in src/remote/inet.cpp) was removed in trunk before the CVE was filed, so trunk/Linux builds are not affected.
  • ·Specific ROP gadget addresses are version-dependent; the Metasploit module targets exactly FB 2.5.2.26539, 2.5.1.26351, 2.1.5.18496, and 2.1.4.18393 — gadget offsets will differ for any other build.
  • ·The fix is a bounds check on the CNCT_group length field (build 26623 for v2.5, build 18514 for v2.1); patched builds are not vulnerable regardless of network exposure.
  • ·The payload bad-character set excludes null bytes, newlines, and carriage returns (\x00\x0a\x0d), so shellcode containing these bytes will not work with this exploit vector.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.