Buffer Overflow in MySQL

← Back to Stories (view on slashdot.org)

Posted by Hemos on Sunday September 14, 2003 @11:47PM from the upgrade-ya-schlubs dept.

maedls.at writes "Here is a short description of the Vulnerability:Passwords of MySQL users are stored in the "User" table, part of the "mysql" database, specifically in the "Password" field. In MySQL 4.0.x and 3.23.x, these passwords are hashed and stored as a 16 characters long hexadecimal value, specifically in the "Password" field. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. For details and proof of concept see: http://lists.netsys.com/pipermail/full-disclosure/ 2003-September/009819.html"

6 of 43 comments (clear)

Min score:

Reason:

Sort:

Not too bad though by Prowl · 2003-09-15 00:17 · Score: 5, Informative

The mysql user must have administrative privileges to exploit the bug

ie. access to the mysql table itself

--
That man tried to kill mah Daddy
1. Re:Not too bad though by jpkunst · 2003-09-15 00:40 · Score: 3, Informative
  
  The mysql user must have administrative privileges to exploit the bug
  ie. access to the mysql table itself
  
  If that is the case, there should be no problem unless the specific database for your application is accessed with the MySQL 'root' user (which would be very bad design) .
  
  JP
2. Re:Not too bad though by cookd · 2003-09-15 01:31 · Score: 5, Informative
  
  More detail:
  
  First, ALTER the User table of the mysql database (the table that contains the usernames and passwords of users allowed to connect to the database server) so that the Password column can have more than 16 characters.
  
  Second, UPDATE a row in the User table to give a user a "password" consisting of your buffer overflow code.
  
  Third, get MySQL to try to process that user's login info. This is done with "FLUSH PRIVILEDGES" which flushes the cache of users and their passwords.
  
  You now can execute code in the context of the MySQL server.
  
  Of course, the MySQL server should be running as an unpriviledged user anyway. And most people who can admin the MySQL server can probably admin the whole box.
  
  Just goes to show that nobody's perfect, I guess.
  
  --
  Time flies like an arrow. Fruit flies like a banana.
Vendor Status by dago · 2003-09-15 00:46 · Score: 4, Informative

MySQL AB has been informed of this vulnerability on Wed, 6 Aug 2003.

The issue was confirmed and fixed in the developpment tree the next day.

[side note: the MySQL developpment team is not only very reactive, the guys
are also extremely nice]

--
#include "coucou.h"
Not too bad really by quinkin · 2003-09-15 01:11 · Score: 3, Informative

It's not as bad as I thought reading the banner - you need global administrator rights to perform the exploit. Most hosting servers will be pretty well protected - I certainly think I am.
But there is no point tempting fate, and it's a good excuse to update anyway. :)
Bugs fixed: * Fixed buffer overflow in SET PASSWORD which could potentially be exploited by MySQL users with root privileges to execute random code or to gain shell access (thanks to Jedi/Sector One for spotting and reporting this one).
All fixed. Get your 4.0.15 here.
Unfortunately, it seems that release 3.23.58 is "to be released soon". So people with older installations will have to be extra careful until an update is released.
Q.

--
Insert Signature Here
Re:Problem is in C libraries by arthurs_sidekick · 2003-09-15 02:24 · Score: 2, Informative

The offending code is posted in the article; it makes no use of C libraries: void get_salt_from_password(ulong *res,const char *password) { res[0]=res[1]=0; if (password) { while (*password) { ulong val=0; uint i; for (i=0 ; i Looks like pretty much of a "d'oh!" coding error.

--
"Oh, I hope he doesn't give us halyatchkies," said Heinrich.