Date: Mon, 08 Aug 2005 18:38:02 -0400
From: Team SHATTER <shatter@appsecinc.com.>
To: [email protected]Subject: [AppSecInc Advisory MYSQL05-V0002] Buffer Overflow in MySQL User
Defined Functions
X-Enigmail-Version: 0.90.1.1
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Buffer Overflow in MySQL User Defined Functions
AppSecInc Team SHATTER Security Advisory MYSQL05-V0002
http://www.appsecinc.com/resources/alerts/mysql/2005-002.html
August 08, 2005
Risk level: LOW
Credits: This vulnerability was discovered and researched by Reid
Borsuk of Application Security Inc.
Affected Versions:
ALL
Background:
User-defined functions in MySQL allow a user in the database to call
binary libraries on the operating system. Creating a user-defined
function requires insert privileges on the mysql.func table.
Details:
The init_syms() function uses an unsafe string function to copy a user
specified string into a stack based buffer. Due to improper sanitation
this buffer is able to be overflowed, overwriting portions of the
stack. This allows an attacker to write 14 bytes of arbitrary data and
8 bytes of hard coded data beyond the end of the buffer.
The format of the CREATE FUNCTION statement is as follows:
CREATE FUNCTION function_name RETURNS type SONAME "library_name"
User specified input to the "function_name" field is limited to 64
characters. If this library can be successfully loaded by the
operating system, control is then passed to init_syms(). This will
attempt to copy the user string into a buffer 50 bytes in length. Hard
coded strings are then copied onto the end of this string. In some
older versions of MySQL this can be used to gain complete control over
the EIP or copy attacker specified data to an arbitrary location.
One issue of concern is because this buffer is owned by the calling
function, in an environment with a stack that grows upwards, it may be
possible to overwrite the EIP return or other sensitive values.
Exploiting this vulnerability would require the ability to create
user-defined functions. This is not typically granted to untrusted
users, however given this vulnerability you should understand the
ramifications of granting the ability to create user-defined functions.
Workaround:
Restrict access to create user-defined functions.
Vendor Status:
Vendor was contacted and a patch was released.
Fix:
MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched. These
products can be found here:
http://dev.mysql.com/downloads/
Links:
Application Security, Inc advisory:
http://www.appsecinc.com/resources/alerts/mysql/2005-002.html
- --
_____________________________________________
Application Security, Inc.
www.appsecinc.com
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 300 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined with
our strong support team, deliver up-to-date application safeguards
that minimize risk and eliminate its impact on business.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFC997K/0w1dSVRt4URAm0zAJsFxff2Iao2DYy5Lt241b0wMI1OSQCgug0w
OOkeHvqgfNX6BQo0/JyJ+ds=
=dRCv
-----END PGP SIGNATURE-----