25 years ago, around this period, the InterBase 6 / Firebird 1 prerelease gaping security hole was detected: a user politically with password correct would gain database access
Posted by jpluimers on 2025/12/24
Before Firebird version 1.0 got released, a gaping security hole that InterBase introduced in 1994 before InterBase 6.0 (mostly written in C) got open sourced in 2000 was detected by the team that frantically tried the Firebird fork to first get building on various platforms, then released.
It had a maximum CVSS score of 10.0 because it could access the security database in read/write mode, thereby allowing adding users with SYSDBA privileges.
The detection is now about 25 years ago; on 20260109 the publication (by IBPhoenix) of the bug will be 25 years ago too.
So below are some links, including the original InterBase 6 source which was hard to find as the attachments of the original release links had not been archived in the Wayback Machine.
But first some of the code parts, which also shows the source file I did find back:
Files relative to recursively unpacked [Wayback] www.ic.unicamp.br/~celio/mc527/interbase/ib60src.tar.gz File Line# Code ./ib60src/InterBase/jrd/dyn.e266if ((tdbb->tdbb_attachment->att_user->usr_flags & USR_locksmith) ||./ib60src/InterBase/jrd/dyn.e311** only owner of SQL role or USR_locksmith could drop SQL role./ib60src/InterBase/jrd/dyn.e1610/* If the current user is locksmith - allow all grants to occur */./ib60src/InterBase/jrd/dyn.e1612if (tdbb->tdbb_attachment->att_user->usr_flags & USR_locksmith)./ib60src/InterBase/jrd/dyn.e1820if (tdbb->tdbb_attachment->att_user->usr_flags & USR_locksmith)./ib60src/InterBase/jrd/dyn.e2062if ((revoking_user->usr_flags & USR_locksmith) ||./ib60src/InterBase/jrd/dyn.e2092if ((revoking_user->usr_flags & USR_locksmith) ||./ib60src/InterBase/jrd/isc.c240extern uid_$t acl_$locksmith_uid;./ib60src/InterBase/jrd/isc.c1277return (!strcmp (name, "USER") && !strcmp (project, "LOCKSMITH"));./ib60src/InterBase/jrd/isc.c1315return (sid.proj.high == acl_$locksmith_uid.high &&./ib60src/InterBase/jrd/isc.c1316sid.proj.low == acl_$locksmith_uid.low);./ib60src/InterBase/jrd/jrd.c901!(attachment->att_user->usr_flags & (USR_locksmith | USR_owner)))./ib60src/InterBase/jrd/jrd.c991!(attachment->att_user->usr_flags & (USR_locksmith | USR_owner)))./ib60src/InterBase/jrd/jrd.c2115if (!attachment->att_user->usr_flags & (USR_locksmith | USR_owner))./ib60src/InterBase/jrd/jrd.c4299!(attachment->att_user->usr_flags & (USR_locksmith | USR_owner))))./ib60src/InterBase/jrd/pwd.c323TEXT locksmith_password_enc [33];./ib60src/InterBase/jrd/pwd.c328/* Encrypt and copy locksmith's password under the global scheduler's./ib60src/InterBase/jrd/pwd.c332strcpy (locksmith_password_enc, ENC_crypt (LOCKSMITH_PASSWORD, PASSWORD_SALT));./ib60src/InterBase/jrd/pwd.c352*dpb++ = strlen (LOCKSMITH_USER);./ib60src/InterBase/jrd/pwd.c353p = LOCKSMITH_USER;./ib60src/InterBase/jrd/pwd.c358p = locksmith_password_enc + 2;./ib60src/InterBase/jrd/pwd.h30#define LOCKSMITH_USER "politically"./ib60src/InterBase/jrd/pwd.h31#define LOCKSMITH_PASSWORD "correct"./ib60src/InterBase/jrd/scl.e531TEXT locksmith_password[20];./ib60src/InterBase/jrd/scl.e532TEXT locksmith_password_enc[33];./ib60src/InterBase/jrd/scl.e533TEXT user_locksmith[20];./ib60src/InterBase/jrd/scl.e561strcpy (locksmith_password, LOCKSMITH_PASSWORD);./ib60src/InterBase/jrd/scl.e562strcpy (user_locksmith, LOCKSMITH_USER);./ib60src/InterBase/jrd/scl.e563strcpy (locksmith_password_enc, ENC_crypt (locksmith_password, PASSWORD_SALT));./ib60src/InterBase/jrd/scl.e564if (strcmp (user_name, user_locksmith) || (password_enc == NULL) ||./ib60src/InterBase/jrd/scl.e565strcmp (password_enc, locksmith_password_enc + 2))./ib60src/InterBase/jrd/scl.e636user->usr_flags |= USR_locksmith;./ib60src/InterBase/jrd/scl.e1128if (user.usr_flags & USR_locksmith)./ib60src/InterBase/jrd/scl.h81#define USR_locksmith 1 /* User has great karma */./ib60src/InterBase/jrd/scl.h86* User name assigned to any user granted USR_locksmith rights../ib60src/InterBase/jrd/shut.c131/* Only platform's user locksmith can shutdown or bring online./ib60src/InterBase/jrd/shut.c134if (!attachment->att_user->usr_flags & (USR_locksmith | USR_owner))./ib60src/InterBase/jrd/tra.c3103strcpy (password_enc, (char *)ENC_crypt (LOCKSMITH_PASSWORD, PASSWORD_SALT));./ib60src/InterBase/jrd/tra.c3111*dpb++ = strlen (LOCKSMITH_USER);./ib60src/InterBase/jrd/tra.c3112q = LOCKSMITH_USER;./ib60src/InterBase/utilities/dba_full.e618*dpb++ = strlen (LOCKSMITH_USER);./ib60src/InterBase/utilities/dba_full.e619q = LOCKSMITH_USER;./ib60src/InterBase/utilities/dba_full.e624strcpy (password_enc, (char *)ENC_crypt (LOCKSMITH_PASSWORD, PASSWORD_SALT));
For your enjoyment, the list of links:
- [Wayback/Archive] Firebird Conference 2009 – Frank Schlottmann-Gödde found the bug.
- [Wayback/Archive] firebird-architect – Re: [IB-Architect] Borland’s News Server back then lots of emotions on the Borland side as Open Sourcing InterBase had actually failed. Some of the results were summarised 9 years later in [Wayback/Archive] firebird-architect – Re: [Firebird-Architect] interbase 1.0 tapes ?.
- [Wayback/Archive] CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door Account
The Firebird project uncovered serious security problems with InterBase. The problems are fixed in Firebird build 0.9.4 for all platforms. If you are running either InterBase V6 or Firebird 0.9.3, you should upgrade to Firebird 0.9.4.These security holes affect all version of InterBase shipped since 1994, on all platforms.For those who can not upgrade, Jim Starkey developed a patch program that will correct the more serious problems in any version of InterBase on any platform. IBPhoenix chose to release the program without charge, given the nature of the problem and our relationship to the community. - [Wayback/Archive] CVE-2001-0008 : Backdoor account in Interbase database server allows remote attackers to overwrite arbitrary files using stored procedur (with links to the Wayback Machine; not all pages have been archived properly though)
Cvss Score 10.0…
– Products Affected By CVE-2001-0008
# Product Type Vendor Product Version Update Edition Language 1 Application Borland Software Interbase 4.0 Details Vulnerabilities 2 Application Borland Software Interbase 5.0 Details Vulnerabilities 3 Application Borland Software Interbase 6.0 Details Vulnerabilities 4 Application Firebirdsql Firebird 0.9.3 Details Vulnerabilities - [Wayback/Archive] Internet Security Systems, Inc. : X-Force
Platforms Affected:
InterBase 6.01
InterBase 6.0
InterBase 5.x
InterBase 4.x
Firebird 0.9-3 and earlier…
Remedy:For InterBase:
Apply the appropriate InterBase patch for your system, available from the Borland Web site. See References.For Firebird:
Upgrade to the latest version of Firebird (0.9-4 or later), available from the SourceForge Web site. See References.…
References:
CA-2001-01.html
http://www.borland.com/interbase/downloads/patches.html
http://www.ibphoenix.com/sec1.html
http://sourceforge.net/project/showfiles.php?group_id=9028Standards associated with this entry:
CAN-2001-0008 : Backdoor account in Interbase database server allows remote attackers to overwrite arbitrary files using stored procedures. - [Wayback/Archive] IBPhoenix Document – InterBase Security AlertSecurity Alert
What are the problems?
The most serious hole is a “back door”, a built-in account and password that gives unrestricted access to any database. Borland’s InterBase engineering group deliberately created the back door to access the security database (isc4.gdb) in version 4, circa 1992. This same account and password continue to give full access in all subsequent versions of InterBase.
InterBase versions 4, 5, and 6 also contain a built-in function that crashes the server or deletes the database file, depending on the parameters passed. The Borland InterBase QA group requested this “feature” in 1994 to facilitate testing and required that it be left in production versions of the code.
Recognizing the seriousness of this situation, Mr. Starkey and IBPhoenix donate this patch program to the InterBase community. It is available, at no charge, to all InterBase customers, regardless of their hardware platform, whether they run version 4, version 5, or version 6, or whether they have support contracts with Borland, IBPhoenix, Cognos, some other organization, or no one.
…
Download the license.txt and the usage instructions. Then download the appropriate patch for your platform:
AIX Linux DG Intel Solaris DG Unix VAX VMS HP UX Win32 Regrettably, none of these downloads made it to the Wayback Machine: Wayback Machine: ftp://ftp.ibphoenix.com/secure/
No URL has been captured for this URL prefix.
Only these two files got archived:
- Similarly, none of the Borland patch downloads got archived:
- [Wayback/Archive] SourceForge: Project Filelist – Firebird – Files with early 0.9-4 Firebird Test1 files all dated 2000-12-27 (which means that by then the fix was applied)
- [Wayback/Archive] CERT/CC Vulnerability Note VU#247371
I. Description
Interbase is an open source database package that is distributed by Borland/Inprise. The server contains a compiled-in backdoor account with a known password.
In the following interbase code, references are made about a LOCKSMITH user:
./jrd/dyn.e
./jrd/isc.c
./jrd/jrd.c
./jrd/pwd.c
./jrd/pwd.h
./jrd/scl.e
./jrd/scl.h
./jrd/shut.c
./jrd/tra.c
./utilities/dba_full.eIt turns out the LOCKSMITH is an entity needed to allow “authorized” interaction with the security accounts database between services. This LOCKSMITH is the user account in question compiled into the code with full-access to the security accounts database by default. The compiled-in code can be found in the jrd/pwd.h header which defines the macros in question:
#define LOCKSMITH_USER “politically”
#define LOCKSMITH_PASSWORD “correct”While it appears the password is transmitted over the wire encrypted, since the password is hard-coded, the security afforded is negligible.
Once the LOCKSMITH account is compromised, the SYSDBA account priviledges can be used to gain control of all database objects (tables, records, fields, stroed procedures, etc). Once database access is gained, user defined functions (UDFs) can be used to implant trojan horses and programs which can be used to gain root (system) privileges on the system hosting the server.
This vulnerability was not introduced by unauthorized modifications to the original vendor’s source. It was introduced by maintainers of the code within Borland. The back door account password can not be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers. The best solution at this time is to upgrade vulnerable binaries and source code with fixes that are being distributed by Borland and the Firebird Project (IBPhoenix).
II. Impact
This backdoor allows any local user or remote user able to access port 3050/tcp [gds_db] to manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root (*NIX) or System (NT) privileges, then any file on the server’s file system can be overwritten, possibly leading to execution of arbitrary commands as root or System.
III. Solution
Install the patch being distributed to change the backdoor server account password.
Block access to port 3050/tcp; this will not, however, prevent local users or users within a firewall’s adminstrative boundary from accessing the backdoor account.
Systems Affected
Vendor Status Date Updated Borland Vulnerable 11-Jan-2001 IBPhoenix Vulnerable 10-Jan-2001 Apple Not Vulnerable 10-Jan-2001 Fujitsu Not Vulnerable 10-Jan-2001 References
https://www.kb.cert.org/vuls/id/247371
http://www.borland.com/interbase/downloads/patches.html
http://www.borland.com/interbase/
http://community.borland.com/interbase/
http://sourceforge.net/projects/interbase
http://sourceforge.net/projects/firebird
http://sourceforge.net/projects/firebirdashes
http://firebird.sourceforge.net
http://www.ibphoenix.com
http://www.ibphoenix.com/sec1.html
http://firebird.ibphoenix.com
http://www.interbase2000.com
http://sourceforge.net/cvs/?group_id=1962 [Borland Interbase]
http://sourceforge.net/cvs/?group_id=9052 [FirebirdAshes] - [Wayback/Archive] History for jrd/pwd.h – FirebirdSQL/x-cvs-interbase · GitHub (which is incomplete as it does not have a commit of the LOCKSMITH credentials removal)
- [Wayback/Archive] Removed an assert from jrd/sort.c that caused debug version to stop for no reason. Some minor changes to make pwd.c thread-safe· FirebirdSQL/x-cvs-interbase@b9f6a57 · GitHub was the re-introduction of the
jrd/pwd.hfile. - [Wayback/Archive] Save the whale, feed the poor, and set the sources free. · FirebirdSQL/x-cvs-interbase@d1cd708 · GitHub first commit dated 20000803, but lacking
jrd/pwd.h(because missing, and many other files – includingjrd/pwd.c– because of GitHub diff UI limitations) - [Wayback/Archive] GitHub – FirebirdSQL/x-cvs-interbase at d1cd7082a7a6faa5cc8f2ef7dbcaa95f09ae0091 tree of first commit which can access all files including
jrd/pwd.c:[Wayback/Archive] x-cvs-interbase/jrd/pwd.c at d1cd7082a7a6faa5cc8f2ef7dbcaa95f09ae0091 · FirebirdSQL/x-cvs-interbase · GitHub which indeed has a commit history[Wayback/Archive] History for jrd/pwd.c – FirebirdSQL/x-cvs-interbase · GitHub - [Wayback/Archive] Firebird download | SourceForge.net with[Wayback/Archive] Firebird / Code Commit Log: r1 is dated 20010523, which means it is not the start of the Firebird project.
- [Wayback/Archive] Borland InterBase Home Page
Inprise/Borland is pleased to announce the immediate availability of InterBase 6.0, the Open Source Database. Responding to the needs of an existing community of InterBase users, and to an even larger group of open source developers, Inprise/Borland is proud to join the many companies that have embraced open source. The addition of a commercial quality SQL database to the open source movement is expected to satisfy the needs of thousands of developers who need the reliability, scalability, and market proven qualities of a product like InterBase but who have also embraced the advantages of open source.
Read our press release:
Read the InterBase Public License:
Download InterBase 6.0 Now!
The download pages themselves got archived in the Wayback Machine, but none of the actual download links were:
- [Wayback/Archive] Borland InterBase Download Page (inprise-chil.www.conxion.com)
- [Wayback/Archive] Borland InterBase Download Page (inprise-heva.www.conxion.com)
- [Wayback/Archive] Borland InterBase Download Page (inprise-svca.www.conxion.com)
Missing downloads at the Internet Archive too:
- [Wayback/Archive] Inprise to release InterBase 6 as open-source
- [Wayback/Archive] Interbase Open Source Release – Slashdot
“At last, Interbase 6.0 is available (with source) for download. The announcement is here, with dowload mirrors in Chicago, Herndon and San Jose You may also be interested in the licence – basically it is MPL with “Interbase” substituted for Mozilla/Netscape.”
- [Wayback/Archive] Indy/Bubbles/Playgrounds/FTPList/Data/Unix-ftp.borland.com-R-1.txt at master · IndySockets/Indy · GitHub at least has an overview of what the
ftp.borland.comftp server contents was (raw file: [Wayback/Archive] raw.githubusercontent.com/IndySockets/Indy/refs/heads/master/Bubbles/Playgrounds/FTPList/Data/Unix-ftp.borland.com-R-1.txt) - [Wayback/Archive] Index of /~celio/mc527/interbase has quite a few old Interbase files including [Wayback] www.ic.unicamp.br/~celio/mc527/interbase/ib60src.tar.gz (I verified that the contents is OK at the time of writing this blog post)
- [Wayback/Archive] 볼랜드포럼: IBConsol 1.0.0.320 소스 (Delphi) has the original 2000 [Wayback] www.borlandforum.com/impboard/attach/0000043133/IBConsole_src.ZIP
- [Wayback/Archive] the database experts Doc/High-level description of the InterBase 6.0 source code
- [Wayback/Archive] Firebird: Historical Reference has a whole lot of history from the early InterBase days at Ashton-Tate until Firebird early 2002.
Via
- [Wayback/Archive] Today In Infosec on X: “2001: It was disclosed that the Interbase database package had a compiled-in back door account – user “politically” and password “correct”. If that would have happened today instead, would the password have been “Inc0rr3ct!” instead? 🤔😹”
- [Wayback/Archive] Borland Interbase backdoor exposed • The Register.
Queries:
- [Wayback/Archive] interbase politically correct – Google Search
- [Wayback/Archive] interbase politically correct Frank Schlottmann-Goedde 2000 – Google Suche
- [Wayback/Archive] firebird politically correct Frank Schlottmann-Goedde – Sök på Google
- [Wayback/Archive] interbase 6 source code – Sök på Google
- [Wayback/Archive] announcement interbase 6 open source – Google Suche
- [Wayback/Archive] “ib60src.ZIP” – Google Suche
- [Wayback/Archive] “ib60src.tar.gz” – Google Search
- [Wayback/Archive] “IBConsole_src.zip” – Search on Google
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment