CVE-2013-2492
published 2013-03-15CVE-2013-2492: Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute…
PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
42.17%
98.5th percentile
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| firebirdsql | firebird | — | — |
| firebirdsql | firebird | — | — |
| firebirdsql | firebird | — | — |
| firebirdsql | firebird | — | — |
| firebirdsql | firebird | — | — |
| firebirdsql | firebird | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/fb_cnct_group.rb↗
bytes↗
\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24\x00\x00\x00\x14
bytes↗
\x05\x20
bytes↗
\x15\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e
bytes↗
\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20
- →Monitor for inbound TCP connections to port 3050 (Firebird default) carrying oversized CNCT group number fields — the exploit sends a crafted CNCT info packet where the group number length is not bounded, triggering a stack-based buffer overflow. ↗
- →Detect exploit packets by looking for the byte sequence \x05\x20 followed by ROP chain data within a Firebird CNCT connection request on TCP/3050; this marks the CNCT_group tag with an oversized length field. ↗
- →The exploit payload prepend stub mov eax,fs:[0x18] / add eax,8 / mov esp,[eax] (bytes \x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20) is used as a stack-pivot trampoline; detecting this byte sequence in network data on TCP/3050 is a strong indicator of exploitation. ↗
- →The exploit uses a two-phase stack pivot and ROP chain to call VirtualAlloc for DEP bypass; look for fbserver.exe spawning unexpected child processes or making VirtualAlloc calls from non-image memory regions. ↗
- →The exploit is unauthenticated — any connection to TCP/3050 from an untrusted source that does not complete a normal Firebird authentication handshake but sends CNCT info with a large group number field should be treated as suspicious. ↗
- →The Metasploit module uses EXITFUNC=seh, meaning post-exploitation shellcode exits via a structured exception handler; look for SEH chain manipulation in fbserver.exe crash telemetry. ↗
- ·The exploit only targets Windows builds of Firebird; the vulnerable code path (CNCT_group extraction in src/remote/inet.cpp) was removed in trunk before the CVE was filed, so trunk/Linux builds are not affected. ↗
- ·Specific ROP gadget addresses are version-dependent; the Metasploit module targets exactly FB 2.5.2.26539, 2.5.1.26351, 2.1.5.18496, and 2.1.4.18393 — gadget offsets will differ for any other build. ↗
- ·The fix is a bounds check on the CNCT_group length field (build 26623 for v2.5, build 18514 for v2.1); patched builds are not vulnerable regardless of network exposure. ↗
- ·The payload bad-character set excludes null bytes, newlines, and carriage returns (\x00\x0a\x0d), so shellcode containing these bytes will not work with this exploit vector. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8xvr-8v4v-rm6j: Stack-based buffer overflow in Firebird 2
ghsa_unreviewed·2022-05-17
CVE-2013-2492 [MEDIUM] CWE-119 GHSA-8xvr-8v4v-rm6j: Stack-based buffer overflow in Firebird 2
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information.
OSV
CVE-2013-2492: Stack-based buffer overflow in Firebird 2
osv·2013-03-15·CVSS 6.8
CVE-2013-2492 [MEDIUM] CVE-2013-2492: Stack-based buffer overflow in Firebird 2
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information.
No detection rules found.
Exploit-DB
Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)
exploitdb·2013-01-31
CVE-2013-2492 Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)
Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Firebird Relational Database CNCT Group Number Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in Firebird SQL Server. A specially
crafted packet can be sent which will overwrite a pointer allowing the attacker to
control where data is read from. Shortly, following the controlled read, the
pointer is called resulting in code execution.
The vulnerability exists with a group number extracted from the CNCT information,
which is sent by the client, and whose size is not properly checked.
This module uses
Metasploit
Firebird Relational Database CNCT Group Number Buffer Overflow
metasploit
Firebird Relational Database CNCT Group Number Buffer Overflow
Firebird Relational Database CNCT Group Number Buffer Overflow
This module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stack pivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.
Bugzilla
CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow [fedora-all]
bugzilla·2013-03-08·CVSS 6.8
CVE-2013-2492 [MEDIUM] CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow [fedora-all]
CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affec
Bugzilla
CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow [epel-all]
bugzilla·2013-03-08·CVSS 6.8
CVE-2013-2492 [MEDIUM] CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow [epel-all]
CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue af
Bugzilla
CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow
bugzilla·2013-03-08·CVSS 6.8
CVE-2013-2492 [MEDIUM] CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow
CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow
Spencer McIntyre reports:
The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server.
Alexander Peshkov adds:
A reason is a bug when extracting a group number from the CNCT info, sent by
client. Size of received data was not checked. Bug exists from the first most
days of firebird.
The main irony here is that this group info was never used later in the code,
and therefore was cleaned up in the trunk. I.e. trunk does not require fixing.
This is fixed in snapshot builds, build numbers are 26623 for v2.5 and 18514
for v2.1. Fix available in upstre
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-03/msg00039.htmlhttp://tracker.firebirdsql.org/browse/CORE-4058http://www.debian.org/security/2013/dsa-2647http://www.debian.org/security/2013/dsa-2648http://www.securityfocus.com/bid/58393https://gist.github.com/zeroSteiner/85daef257831d904479chttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/fb_cnct_group.rbhttps://security.gentoo.org/glsa/201512-11http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-03/msg00039.htmlhttp://tracker.firebirdsql.org/browse/CORE-4058http://www.debian.org/security/2013/dsa-2647http://www.debian.org/security/2013/dsa-2648http://www.securityfocus.com/bid/58393https://gist.github.com/zeroSteiner/85daef257831d904479chttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/fb_cnct_group.rbhttps://security.gentoo.org/glsa/201512-11
2013-03-15
Published