[Zope] Buffer overflow in MySQL < 3.23.31

Ragnar Beer rbeer@uni-goettingen.de
Tue, 23 Jan 2001 09:12:19 +0100


Howdy!

Just for us MySQL users I'm forwarding this from bugtraq.

Ragnar

>Hi,
>
>all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
>server and which seems to be exploitable (ie. 4141414 in eip)
>
>Problem :
>An attacker could gain mysqld privileges (gaining access to all the
>databases)
>
>Requirements :
>You need a valid login/password to exploit this
>
>Solution :
>Upgrade to 3.23.31
>
>Proof-of-concept code :
>None
>
>Credits :
>I'm not the discoverer of this bug
>The first public report was made by tharbad@kaotik.org via the MySQL
>mailing-list
>See the following mails for details
>
>Regards,
>Nicob
>
>Here the original post to the MySQL mailing-list :
>==================================================
>
>On Jan 12, Jo?o Gouveia wrote:
>>  Hi,
>>
>>  I believe i've found a problem in MySql. Here are some test's i've made in
>>  3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
>>  debug it, just tested to see if crashes ).Confirmed up to latest 3.23
>
>>  On one terminal:
>>  <quote>
>>  spike:/var/mysql # /sbin/init.d/mysql start
>>  Starting service MySQL.
>>  Starting mysqld daemon with databases from /var/mysql
>>  done
>>  spike:/var/mysql #
>></quote>
>>
>>  On the other terminal:
>>  <quote>
>>  jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
>>  Enter password:
>>  (hanged..^C)
>>  </quote>
>>
>>  On the first terminal i got:
>>  <quote>
>>  spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
>>  nohup
>>  $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
>>  g "$@" >>$err_log 2>&1>
>>  Number of processes running now: 0
>>  mysqld restarted on  Fri Jan 12 07:10:54 WET 2001
>>  mysqld daemon ended
>>  </quote>
>>
>>  gdb shows the following:
>>  <quote>
>>  (gdb) run
>>  Starting program: /usr/sbin/mysqld
>>  [New Thread 16897 (manager thread)]
>>  [New Thread 16891 (initial thread)]
>>  [New Thread 16898]
>>  /usr/sbin/mysqld: ready for connections
>>  [New Thread 16916]
>>  [Switching to Thread 16916]
>>
>>  Program received signal SIGSEGV, Segmentation fault.
>>  0x41414141 in ?? ()
>>  (gdb) info all-registers
>>  eax            0x1      1
>>  ecx            0x68     104
>>  edx            0x8166947        135686471
>>  ebx            0x41414141       1094795585
>>  esp            0xbf5ff408       0xbf5ff408
>>  ebp            0x41414141       0x41414141
>>  esi            0x41414141       1094795585
>>  edi            0x0      0
>>  eip            0x41414141       0x41414141
>>  eflags         0x10246  66118
>>  cs             0x23     35
>>  ss             0x2b     43
>>  ds             0x2b     43
>>  es             0x2b     43
>>  fs             0x0      0
>>  gs             0x0      0
>>  (gdb)
>>  </quote>
>>
>>  looks like a tipical overflow to me.
>>  Please reply asap, at least to tell me i'me not seeing things. :-)>
>>  Best regards,
>>
>>  Joao Gouveia aka Tharbad.
>>
>>  tharbad@kaotik.org
>
>Here the reponse to a email I send today to the MySQL list :
>============================================================
>
>Sergei Golubchik (MySQL team) wrote :
>>
>>  Hi!
>>
>>  On Jan 18, Nicolas GREGOIRE wrote:
>>  > Hi,
>>  >
>>  > Still not any info about the buffer-overflow discovered last week ?
>>  > Shouldn't be fixed at the beginning of the week ?
>>  >
>>  > Please, dear MySQL team, give us info !!
>>  >
>>  > Regards,
>>  > Nicob
>>
>>  Fixed in latest release (3.23.31).
>>
>>  Regards,
>>  Sergei
>
>Here an part of the 3.23.30 to 3.23.31 diff :
>=============================================
>
>+Changes in release 3.23.31
>+--------------------------
>+
>+   * Fixed security bug in something (please upgrade if you are using a
>+     earlier MySQL 3.23 version).