Re: Some more MySql security issues

[Peter van Dijk <peter () DATALOSS NL>]

On Sun, Feb 11, 2001 at 12:40:48AM +0100, Konrad Rieck wrote:
> I am a little bit confused about this mail. Maybe the author
> can explain some issues to me...
>
> On Sat, Feb 10, 2001 at 12:54:33AM -0000, Joao Gouveia wrote:
> > roberto@spike:~ > mysql -ublaah (Note: 'blaah' obviously isn't a valid
> > username)
>
> You seem to have a strange configuration of mysql. By default only valid
> users are allowed to connect to the database. So the overflow in
> "drop database" can only be used by users of mysql. Well anyway, a security
> problem that can lead to the privileges the mysqld is running under, but
> not as simple as you show above.

A very irrelevant issue. The note about the obviously valid username
is incorrect, that is a configuration issue.

It doesn't, however, make the problem any less.

> > /home/jroberto/httpd/mysql/bin/mysql -h`perl -e'printf("A"x200)'`
>
> This is a nice example of bad code, but not a security issue, I could
> show up a 100 of programs that simply don't care for *argv parameters.
> You don't gain anything by exploiting such overflows in non-suid programs.

It, however, shows bad coding habits. Also, lots of programs might be
used in an 'privilege-elevated situation'. The overflows in 'host' and
'nslookup' have been fixed for real reasons. Those same reasons may
apply to the mysql console client.

Greetz, Peter.