Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote hole, DoS in MySQL

Posted by michael on from the whoops dept.

Wee writes "I just saw two pretty nasty vulnerabilities in MySQL were announced today by a German company called e-matters. From the annoucenment: "We have discovered two flaws within the MySQL server that can be used by any MySQL user to crash the server. Furthermore one of the flaws can be used to bypass the MySQL password check or to execute arbitrary code with the privileges of the user running mysqld. We have also discovered an arbitrary size heap overflow within the mysql client library and another vulnerability that allows to write '\0' to any memory address. Both flaws could allow DOS attacks against or arbitrary code execution within anything linked against libmysqlclient." Version 3.23.54 fixes the issues in 3.x. I couldn't find a patched version for the 4.0 beta."

4 of 68 comments (clear)

  1. announce@lists.mysql.com by mnordstr · · Score: 5, Informative

    Hi,

    MySQL 3.23.54, a new version of the world's most popular Open Source
    Database, has been released. It is now available in source and binary
    form for a number of platforms from our download pages at
    http://www.mysql.com/downloads/ and mirror sites.

    This is a bugfix release for the current stable tree.

    Apart from fixing several bugs, this release also resolves multiple
    security vulnerabilities that have been found and reported to us by Stefan
    Esser from e-matters GmbH, Germany. You can read the full text of Stefans
    advisory here:

    http://security.e-matters.de/advisories/042002.h tm l

    We are very grateful for his help in spotting and reporting this problem
    to us.

    As these vulnerabilities can be exploited from a remote attacker to crash
    the MySQL server or to execute arbitrary code with the privileges of the
    user running the MySQL server, we strongly advise all users to upgrade to
    this version.

    MySQL 4.0 is also affected by this problem - we will provide updated
    packages for this version as soon as possible, too. The required fixes
    have already been applied to our public BitKeeper source repositories as
    well.

  2. Re:this is how i crashed mySQL server by Mark+Round · · Score: 5, Funny

    "I was writing a complex WHERE clause with multiple ANDs and ORs and I forgot to put the parentheses around OR statements, and that crashed the whole mysqld."

    It was like "bleep bleep bleep bleep bleep". It was a really good query. It was like... a bummer.

  3. Not on front page? by Alizarin+Erythrosin · · Score: 5, Insightful

    Seeing as how there may be a number of /. readers who might not catch this story but probably should know about it, why isn't it on the front page?

    --
    There are only 10 kinds of people in this world... those who understand binary and those who don't
  4. risk assessment by ubiquitin · · Score: 5, Informative

    So what are the risks involved with not patching your MySQL install ASAP? Should we expect script kiddies to have exploits in their hands in days, weeks, months?

    The two flaws in the MySQL server involve TABLE_DUMP and CHANGE_USER, neither of which are typically done regularly, unless you're using dump to backup your db. Interesting that anything that is linked against libmysql is potentially vulnerable to the read_rows Overflow. This means that PHP/Apache/Perl andthere the OS could in theory be exploited this way, though the attacker would have to have some pretty generous write access to the database first. Both client vulnerabilities demand that you feed data into rows that your client is requesting.

    The most interesting part of this, by far is the final comment: "Finally it must be mentioned that an attacker can of course use a combination of the described attacks to break into a system or to get access to privileges he normaly does not own. f.e. it is possible for a local user to crash the server with the COM_TABLE_DUMP bug (if he cannot takeover the root account with the COM_CHANGE_USER bug) and then bind a fake server to the MySQL port 3306. And with a fake server he can exploit the libmysqlclient overflow. Another scenario would be an attacker that tries to exploit his favourite mod_scripting language to takeover the webserver by connecting to an external fake server... "

    My two cents? Man-in-the-middle attacks are pretty damned hard to pull off, even when the stakes are high and you've got the most skilled cracker interested. Keep current on MySQL releases on a quarterly basis and you should be OK. YMMV

    --
    http://tinyurl.com/4ny52