Remote crash of FileMaker Pro via TCP/IP sharing
- Date:
- 5 August 2003
- Author:
- Stephen White
- Application:
- FileMaker Pro, FileMaker Server
- Vendor:
- FileMaker Inc. http://www.filemaker.com/
- Versions:
- 5.0, 5.5, 6.0. All platforms.
verified on FileMaker Pro 5.0/Windows 2000,
FileMaker Pro 6.0/Windows 2000,
FileMaker Server 5.5/Linux.
- Bug:
- A malformed message sent to TCP port 5003 on a FileMaker server, or copy of FileMaker Pro that is sharing databases via TCP/IP will cause FileMaker to crash.
- Remote:
- Yes.
- Local:
- N/A
Overview
Vulnerable organisations: those using FileMaker Pro TCP/IP network sharing
(including FileMaker Server).
Impact: denial of service
Fix / Workaround
FileMaker were contacted about this issue on the May 26, 2003. I have received no response from them.
Solutions:
- Disable 'multi user' or 'TCP/IP' access to FileMaker databases.
- If sharing via FileMaker networking (peer-to-peer or client/server) is
required ensure that FileMaker Pro hosts and servers are only accessible
to trusted intra-net systems through an appropriate Firewall setup.
External access could be arranged by using VPN or TCP tunnelling software.
- Share data using alternative means, such as web publishing with 'Web
Companion' or Lasso, or other middleware or 3rd party plug-ins. I have not
tested these so am not in a position to provide specific recommendations
- Use alternative database software if these solutions do not address your
requirements.
Discussion
I am avoiding giving details of the protocol used by FileMaker Pro to share databases via TCP/IP, because it contains other flaws (such as that described in report FM001) and I want to avoid making it much easier for people to exploit these maliciously.
To reproduce the crash simply download this file (filemaker.bad.data) and sent it to a FileMaker server , or copy of FileMaker Pro that is sharing databases via TCP/IP, on TCP port 5003. On unix that can be achieved by using 'netcat' as follows:
cat filemaker.bad.data | nc filemaker.host.name 5003
This should cause the copy of FileMaker running on the host in question to terminate immmediately.
Links