[18748] in bugtraq
Re: Buffer overflow in MySQL < 3.23.31
daemon@ATHENA.MIT.EDU (Joao Gouveia)
Tue Jan 23 14:17:12 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <004301c084f5$0d7e2a40$0400a8c0@corbusier.org>
Date: Tue, 23 Jan 2001 04:29:17 -0000
Reply-To: Joao Gouveia <tharbad@kaotik.org>
From: Joao Gouveia <tharbad@KAOTIK.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
----- Original Message -----
From: "Nicolas GREGOIRE" <nicolas.gregoire@7THZONE.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL < 3.23.31
> Hi,
>
> all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
> server and which seems to be exploitable (ie. 4141414 in eip)
>
> Problem :
> An attacker could gain mysqld privileges (gaining access to all the
> databases)
>
> Requirements :
> You need a valid login/password to exploit this
Not allways, in a default instalation one can exploit like this:
mysql -ustring -e<query> , no need for a valid database, login, nor
password.
Also, afaik, this can't easly be exploited just by using a "select
a.(buffer).a" because buffer must be part of a valid SQL query. I didn't
test it, but i supose it's true.
The real danger of this flaw, i think, is the possibility of beeing
exploited remotely.
If there is a simple php script ( for example ), that has a sql query like
"$SQL=select * from table where index=$index" ( providing that $index isn't
quoted), one can exploit using somethig like: script.php?index=a.(buffer).b
>
> Solution :
> Upgrade to 3.23.31
>
> Proof-of-concept code :
> None
>
> Credits :
> I'm not the discoverer of this bug
> The first public report was made by tharbad@kaotik.org via the MySQL
> mailing-list
> See the following mails for details
Best regards,
Joao Gouveia
--------------
tharbad@kaotik.org
