||Home : Advisories : Interbase Server Contains Compiled-in Back Door Account|
||Interbase Server Contains Compiled-in Back Door Account
||10th January 2001
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door
Original release date: January 10, 2001
Last revised: --
A complete revision history is at the end of this file.
* Borland/Inprise Interbase 4.x and 5.x
* Open source Interbase 6.0 and 6.01
* Open source Firebird 0.9-3 and earlier
Interbase is an open source database package that had previously been
distributed in a closed source fashion by Borland/Inprise. Both the
open and closed source verisions of the Interbase server contain a
compiled-in back door account with a known password.
Interbase is an open source database package that is distributed by
Borland/Inprise at http://www.borland.com/interbase/ and on
SourceForge. The Firebird Project, an alternate Interbase package, is
also distributed on SourceForge. The Interbase server for both
distributions contains a compiled-in back door account with a fixed,
easily located plaintext password. The password and account are
contained in source code and binaries previously made available at the
This back door allows any local user or remote user able to access
port 3050/tcp [gds_db] to manipulate any database object on the
system. This includes the ability to install trapdoors or other trojan
horse software in the form of stored procedures. In addition, if the
database software is running with root privileges, then any file on
the server's file system can be overwritten, possibly leading to
execution of arbitrary commands as root.
This vulnerability was not introduced by unauthorized modifications to
the original vendor's source. It was introduced by maintainers of the
code within Borland. The back door account password cannot be changed
using normal operational commands, nor can the account be deleted from
existing vulnerable servers [see References].
This vulnerability has been assigned the identifier CAN-2001-0008 by
the Common Vulnerabilities and Exposures (CVE) group:
The CERT/CC has not received reports of this back door being exploited
at the current time. We do recommend, however, that all affected sites
and redistributors of Interbase products or services follow the
recommendations suggested in Section III, as soon as possible due to
the seriousness of this issue.
Any local user or remote user able to access port 3050/tcp [gds_db]
can manipulate any database object on the system. This includes the
ability to install trapdoors or other trojan horse software in the
form of stored procedures. In addition, if the database software is
running with root privileges, then any file on the server's file
system can be overwritten, possibly leading to execution of arbitrary
commands as root.
Apply a vendor-supplied patch
Both Borland and The Firebird Project on SourceForge have published
fixes for this problem. Appendix A contains information provided by
vendors supplying these fixes. We will update the appendix as we
receive more information. If you do not see your vendor's name, the
CERT/CC did not hear from that vendor. Please contact your vendor
Users who are more comfortable making their own changes in source code
may find the new code available on SourceForge useful as well:
Block access to port 3050/tcp
This will not, however, prevent local users or users within a
firewall's adminstrative boundary from accessing the back door
account. In addition, the port the Interbase server listens on may be
changed dynamically at startup.
Appendix A. Vendor Information
The Firebird project uncovered serious security problems with
InterBase. The problems are fixed in Firebird build 0.9.4 for all
platforms. If you are running either InterBase V6 or Firebird 0.9.3,
you should upgrade to Firebird 0.9.4.
These security holes affect all version of InterBase shipped since
1994, on all platforms.
For those who can not upgrade, Jim Starkey developed a patch program
that will correct the more serious problems in any version of
InterBase on any platform. IBPhoenix chose to release the program
without charge, given the nature of the problem and our relationship
to the community.
At the moment, name service is not set up to the machine that is
hosting the patch, so you will have to use the IP number both for the
initial contact and for the ftp download.
To start, point your browser at
The referenced database package is not packaged with Mac OS X or Mac
OS X Server.
Fujitsu's UXP/V operating system is not affected by this problem
because we don't support the relevant database.
1. VU#247371: Borland/Inprise Interbase SQL database server contains
backdoor superuser account with known password CERT/CC,
Author: This document was written by Jeffrey S Havrilla. Feedback on
this advisory is appreciated.
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
January 10, 2001: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----