[18747] in bugtraq
Re: MySQL < 3.23.31 Overflow [exploit] (fwd)
daemon@ATHENA.MIT.EDU (Michael Widenius)
Tue Jan 23 14:12:23 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Message-Id: <14957.42910.912031.978457@narttu.mysql.com>
Date: Tue, 23 Jan 2001 17:47:42 +0200
Reply-To: monty@mysql.com
From: Michael Widenius <monty@MYSQL.COM>
X-To: Luis Miguel Ferreia Silva <lms@WWW.ISPGAYA.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SC5.4.30.0101221912550.13550-200000@xenau>
Content-Transfer-Encoding: 8bit
Hi!
I got forwarded this 'exploit' of MySQL:
Lus> Hello...
Lus> Here's a exploit for this...
Lus> [See attached...]
Lus> Regardz,
Lus> Lus Miguel Silva aka wC
Lus> Member of lonoss.org and unsecurity.org
Lus> http://www.lonoss.org/
Lus> http://www.unsecurity.org/
Lus> http://www.ispgaya.pt/ Student
Lus> Personal WebPage at:
Lus> http://paginas.ispgaya.pt/~lms/
Lus> &&
Lus> http://www.unsecurity.org/wC/
Lus> Personal Code at:
Lus> www.unsecurity.org/wC/MyCode/
Lus> /*
Lus> Linux MySQL Exploit by Luis Miguel Silva [aka wC]
Lus> lms@ispgaya.pt
Lus> 19/01/y2k+1
Lus> Compile:
Lus> gcc MySQLXploit.c -o MySQLX
Lus> Run with:
Lus> You can specify the offset for the exploit passing it as the 1st arg...
Lus> Example: ./MySQLX 0 ---> this is the default offset :]
Lus> Advisorie:
Lus> [from a bugtraq email]
Lus> Hi,
Lus> all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
Lus> server and which seems to be exploitable (ie. 4141414 in eip)
Lus> Problem :
Lus> An attacker could gain mysqld privileges (gaining access to all the
Lus> databases)
Lus> Requirements :
Lus> You need a valid login/password to exploit this
Lus> Solution :
Lus> Upgrade to 3.23.31
Lus> Proof-of-concept code :
Lus> None
Lus> Credits :
Lus> I'm not the discoverer of this bug
Lus> The first public report was made by tharbad@kaotik.org via the MySQL
Lus> mailing-list
Lus> See the following mails for details
Lus> Regards,
Lus> Nicob
<cut>
I have looked at the 'exploit' and tested this against a 3.23.30
server, but it didn't work. The server gave nicely the error:
-----------------
(/my/tmp) exploit 0
MySQL [all versions < 3.23.31] Local Exploit by lms@ispgaya.pt
Trying to allocate memory for buffer (130 bytes)...SUCCESS!
Using address : 0x41414141
Offset : 0
Buffer Size : 130
Oh k...i have the evil'buffer right here :P
So...[if all went well], prepare to be r00t...
Enter password:
ERROR 1064 at line 1: You have an error in your SQL syntax near '^1FF
V
̀1ۉ@̀/bin/shAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' at line 1
-------------
I can't see how this particular exploit could work, as MySQL strips
all not-ASCII characters from the column name and stops as the first
not-ASCII character. In other words, an exploit like this could
theoretically work if the assembler code only used bytes in this
region, but as this particular program didn't do that...
Anyway, this is just a typical example why one should be careful of
not running mysqld as root, but as it's own user.
Regards,
Monty
