Borland InterBase 2007 create request buffer overflow (Borland_Interbase_Create_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects an attempt to overflow a stack-based buffer in Borland Interbase Server by sending a specially-crafted "create" request on TCP port 3050. Such an overflow could cause the service to crash or allow remote code execution.


False positives

IBM Security Host Protection for Servers (Windows), Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: The Interbase protocol does not contain enough unique fields to distinguish it from other traffic on TCP 3050 with certainty. False positives are possible when another service accepts connections on TCP port 3050. The Borland Interbase protocol is proprietary and not enough details are known to uniquely identify every session using TCP port 3050 as Borland Interbase or not. False positives are possible when another service accepts connections on TCP port 3050.

Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2450, IBM Security Host Protection for Servers (Windows): 1.0.914.2450, IBM Security Host Protection for Servers (Windows): 2.0.300.2450, Proventia-G 1.1 and earlier: XPU 29.110, Proventia Network IDS: XPU 29.110, Proventia Network MFS: XPU 29.110, RealSecure Server Sensor: XPU 29.110, RealSecure Network: XPU 29.110, Proventia Network IPS: XPU 29.110, IBM Security Host Protection for Desktops: 2450, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 29.110, Virtual Server Protection for Vmware: 1.0

Systems affected

Borland InterBase 2007

Type

Unauthorized Access Attempt

Vulnerability description

Borland InterBase is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ibserver.exe database service. By sending a specially-crafted "create" request to TCP port 3050, a remote attacker could overflow a buffer and execute arbitrary code on the system.

How to remove this vulnerability

Refer to TPTI-07-13 for upgrade information. See References.

References

TPTI-07-13
Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-07-13

milw0rm.com [2007-07-30]
Borland Interbase <= 2007 SP1 Create-Request Remote Overflow Exploit
http://milw0rm.com/exploits/4247

ISS X-Force
Borland InterBase 2007 create request buffer overflow
http://www.iss.net/security_center/static/35574.php

CVE
CVE-2007-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3566