Firebird Path Traversal Vulnerability in External Engine Plugin Loader Allowing Arbitrary Code Execution

A path traversal vulnerability has been identified in Firebird's external engine plugin loader, present in versions prior to 5.0.4, 4.0.7, and 3.0.14. The vulnerability allows an authenticated user with CREATE FUNCTION privileges to execute arbitrary code by loading a shared library from any location on the filesystem. This is achieved by supplying a crafted ENGINE name that exploits the lack of proper validation for path separators and directory traversal components. The executed code runs with the same privileges as the Firebird server's operating system account, potentially leading to unauthorized access or manipulation of system resources.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running as the Firebird process's OS user. This could lead to reading or modifying database files, pivoting to other parts of the system, or establishing a persistent foothold.

Reproduction

To reproduce this vulnerability, connect to a Firebird database as a user with CREATE FUNCTION privileges. Then, execute a SQL statement that creates or alters a function with a specified ENGINE name that includes path traversal sequences. The external library referenced by the ENGINE name will be loaded, and its initialization code will execute immediately, before Firebird has a chance to validate the module.

Remediation

Users can upgrade to Firebird versions 5.0.4, 4.0.7, or 3.0.14 to address this vulnerability.