Live Chat Software for Business
Task Management Software
Software for managing team projects, tasks, time, workflow and efficiency
 
Home
 
Products
 
Solutions
 
Download
 
Purchase
 
Support
 
Contact Us
 
My Account
  
  
   
Support 
FAQ 
Forum
Helpdesk 
Blog 
Company 
Contact Us 
<< username >>
<< password >>
Remember me on this computer
  Forgot your password?
  Register

Home  » Support  » Forum  » Troubleshooting (VIP Task Manager)  » VIP vulnerable

VIP vulnerable
Forums list
Topics list
New topics
Search
User list
Rules
Help
Login: 
Register

  Views: 630Topic:: «VIP vulnerable, It is possible to execute code on the remote host through the database» on forum: Troubleshooting (VIP Task Manager)
#1
Serge,

FireBird 1.5 engine used by VIP has been found vulnerable by our security team and this issue is also documented on FireBird webpage.
Is it possible to upgrade to Firebird 2.0.1 or Task Manager Pro is only supported with the current FireBird version?

Thanks,
Marco
-----------------------------------------
Synopsis:
It is possible to execute code on the remote host through the database.

Description:
The remote version of Firebird SQL database server is vulnerable to a
buffer overflow in the protocol handling routine.
By sending a specially crafted op_connect request, an attacker can
execute code on the remote host with SYSTEM privileges.

Solution:
Upgrade to Firebird 2.0.1 or later.

See also:
http://dvlabs.tippingpoint.com/advisory/TPTI-07-11
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.1-ReleaseNotes.pdf

Risk Factor:
Critical / CVSS Base Score: 10
(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2007-3181
http://www.securityfocus.com/bid/36
Profile
E-Mail
#2
Marco,

Quote
FireBird 1.5 engine used by VIP has been found vulnerable by our security team and this issue is also documented on FireBird webpage.


Starting from version 2.8 VIP Task Manager client application doesn't connect directly to Firebird (to solve long ping issue). Client connects to our server (VIP DB Bridge Server) which connects to Firebird locally (to localhost). All transactions from client to our server are secured by SSL protocol.

As you see there is no outer access to the Firebird, if you don't allow such access on purpose (when our server and Firebird are on the same server computer, you can even use 'localhost' for connecting our server to Firebird) so it is not possible to execute code on the remote host through the database.

Quote
Is it possible to upgrade to Firebird 2.0.1 or Task Manager Pro is only supported with the current FireBird version?


It is possible, however we didn't test VIP Task Manager with Fireberd 2.0 so we can not guarantee that it will work smoothly.

Regards,
Serge
Profile
E-Mail
#3
Serge,

Quote
Client connects to our server (VIP DB Bridge Server) which connects to Firebird locally (to localhost). All transactions from client to our server are secured by SSL protocol.

...there is no outer access to the Firebird, if you don't allow such access on purpose


Herein lies the problem with the solution as provided:
access is currently granted to the database via the network, and arbitrary code can be executed on that host, meaning that it is a legitimate vulnerability that needs to be fixed.

If you can provide advice on how to restrict access only to the localhost – We would apply that procedure to the server.

Currently there is publicly available exploit code which is trivial to use. It would not take a lot of imagination to code this into an automated worm.



Quote
It is possible, however we didn't test VIP Task Manager with Fireberd 2.0 so we can not guarantee that it will work smoothly.


We have tried to use VIP with Firebird 2.0.3, which is not affected by security known issues. They communicate but VIP doesn't recognize dbase columns because it is not configured.

Can you provide us with a solution (improvement of the server or integration of Firebird 2, or whatever), as the use of VIP 3.0.1 rev482 has been interdicted in our company.

Regards,
Marco
Profile
E-Mail
#4
Marco,

Quote
If you can provide advice on how to restrict access only to the localhost – We would apply that procedure to the server.


Please do the following on server computer and we believe it will solve the issue:
1. Go to Start/Programs/VIP Quality Software/VIP Task Manager Professional/Database Manager
2. Select tab General
3. In the field Host enter 'localhost'
4. Select tab Databases
5. Highlight your database
6. Click on Edit button
7. In the window 'Input Database Params' enter 'localhost' into the field Host)

Also please turn off external access to port 3050 by your Firewal (but leave internal access for our server)

Quote
We have tried to use VIP with Firebird 2.0.3, which is not affected by security known issues. They communicate but VIP doesn't recognize dbase columns because it is not configured.


We don't quite understand what you mean by "VIP doesn't recognize dbase columns". Are there any error messages?

Also when shifting to Firebird v2.0 you can do back up/restore with GBAK.exe tool (C:\Program Files\VIP Quality Software\VIP Task Manager Professional\DBAdminUtils), register the restored database in Database Manager and see if it solves the issue you faced.
Learn how to backup/restore here:

http://www.taskmanagementsoft.com/support/forum/forum7/topic67/message159/#message159

Regards,
Serge
Profile
E-Mail

Users browsing this topic
 Number of guests: 1, registered members: 0, in total hidden: 0
  Home Products Solutions Download Purchase Support Contact Us My Account 
 Français   Deutsch   Articles   Search   Site Map
Copyright © 2005 - 2008 VIP Quality Software, Ltd. All Rights Reserved.