[19174] in bugtraq
Re: Some more MySql security issues
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Tue Feb 13 00:22:47 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010212195335.C55386@dataloss.nl>
Date: Mon, 12 Feb 2001 19:53:35 +0100
Reply-To: Peter van Dijk <peter@DATALOSS.NL>
From: Peter van Dijk <peter@DATALOSS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010211004048.A9515@inf.fu-berlin.de>; from kr@R0Q.CX on Sun,
Feb 11, 2001 at 12:40:48AM +0100
On Sun, Feb 11, 2001 at 12:40:48AM +0100, Konrad Rieck wrote:
> I am a little bit confused about this mail. Maybe the author
> can explain some issues to me...
>
> On Sat, Feb 10, 2001 at 12:54:33AM -0000, Joao Gouveia wrote:
> > roberto@spike:~ > mysql -ublaah (Note: 'blaah' obviously isn't a valid
> > username)
>
> You seem to have a strange configuration of mysql. By default only valid
> users are allowed to connect to the database. So the overflow in
> "drop database" can only be used by users of mysql. Well anyway, a security
> problem that can lead to the privileges the mysqld is running under, but
> not as simple as you show above.
A very irrelevant issue. The note about the obviously valid username
is incorrect, that is a configuration issue.
It doesn't, however, make the problem any less.
> > /home/jroberto/httpd/mysql/bin/mysql -h`perl -e'printf("A"x200)'`
>
> This is a nice example of bad code, but not a security issue, I could
> show up a 100 of programs that simply don't care for *argv parameters.
> You don't gain anything by exploiting such overflows in non-suid programs.
It, however, shows bad coding habits. Also, lots of programs might be
used in an 'privilege-elevated situation'. The overflows in 'host' and
'nslookup' have been fixed for real reasons. Those same reasons may
apply to the mysql console client.
Greetz, Peter.
