Bugtraq mailing list archives
mSQL vulnerabilities
From: sni () SILENCE SECNET COM (Secure Networks Inc.)
Date: Sun, 27 Jul 1997 19:13:23 -0600
-----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory July 27, 1997 mSQL Server Vulnerabilities This advisory describes a set of vulnerabilities which enable attackers to obtain unauthorized access to systems running mSQL database servers. Problem Description ~~~~~~~~~~~~~~~~~~~ The mSQL server software, msqld or msql2d, performs no length checking on many of thestrings it manipulates. By creating a query which contains a string longer than the mSQL server is prepared to deal with, an attacker can overwrite the stack, and cause the mSQL server to execute arbitrary code. A second vulnerability exists due to the fact that the mSQL server does not perform a forward DNS lookup on the results of reverse DNS lookups, allowing users able to spoof hostnames to access the mSQL server. Technical Details ~~~~~~~~~~~~~~~~~ An example of the buffer overflows is present in the openTable function located in the table.c file: int openTable(table,db) char *table; char *db; { char path[MAXPATHLEN]; (void)sprintf(path,"%s/msqldb/%s/%s.dat",msqlHomeDir,db,table); ... In this example, the openTable function takes the table name, and attempts to copy it, into a buffer of finite size on the stack. The problem occurs due to the fact that the mSQL server defines MAXPATHLEN itself, rather than obtaining it from sys/param.h, the operating system header file. In this case, the value of MAXPATHLEN is 160. In addition to the above buffer overflows, the username/hostname based access control mechanism in the msql daemon does not protect against an attacker with control of a DNS server: hp = (struct hostent *)gethostbyaddr( (char *)&conArray[newSock].remote.sin_addr, sizeof(conArray[newSock].remote.sin_addr), AF_INET); Becasuse msql2d does not do a forward lookup on the name provided by the reverse lookup and verify that the addresses match, an attacker with control of a DNS server can simply specify the name of a valid client host, and obtain access to the mSQL database. Impact ~~~~~~ Remote individuals can induce the msqld or msql2d to execute arbitrary commands. If the msqld or msql2d is run as 'root', then an attacker can obtain root priviliges. Remote individuals can bypass the hostname based access control included in msqld or msql2d. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ mSQL 2.0.1 and earlier are vulnerable. To determine the version of msql you are running, use the msqladmin program to run the msql stats command. By default, the msqladmin program can be found in /usr/local/Hughes/bin. A typical command line for running the stats command with the msqladmin program would read: /usr/local/Hughes/bin/msqladmin stats and would generate output as follows: Server Statistics - ----------------- Mini SQL Version 2.0 Production Release Copyright (c) 1993-94 David J. Hughes Copyright (c) 1995-97 Hughes Technologies Pty Ltd. All rights reserved. Config file : /usr/local/Hughes/msql.conf Max connections : 214 Cur connections : 1 Running as user : msql Connection table : Sock Username Hostname Database Connect Idle Queries +-----+------------+-----------------+------------+---------+------+--------+ | 6 | davids | UNIX Sock | No DB | 0H 0M | 0 | 1 | +-----+------------+-----------------+------------+---------+------+--------+ ... An error message will generally indicate that you are not running an mSQL server. Fix information ~~~~~~~~~~~~~~~ No official security fix is availible. Unofficial unified diffs which fix the known the security problems in mSQL are availible at ftp://ftp.secnet.com/pub/patches/msql2-patches.tar.gz This archive contains unified diffs to fix mSQL 2.0-rel and mSQL 2.0.1. The md5 hash of the fix archive is: MD5 (msql2-patches.tar.gz) = 4c217760ef4cf1e4a286223e0f6ec589 Additional Information ~~~~~~~~~~~~~~~~~~~~~~ mSQL is a product of Hughes Technologies. For additional information about mSQL, please see http://www.hughes.com.au For more information about Secure Networks, and for past advisories, please see http://www.secnet.com If you have any questions, feel free to mail sni () secnet com. Our pgp public key is: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE - -----END PGP PUBLIC KEY BLOCK----- You can subscribe to our security advisory mailing list by sending mail to majordomo () secnet com, containing the single line subscribe sni-advisories You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM9uVebgIhFKeVQANAQFVeAP/XNSnl/s7YgHvAXOSVLCSc7/lize/r5Zp vKZIKVbH+nHZ/w2EKJjTaJghOk5x9tF8Ymn9suIBNQaotIzMCw/nOZms1ArUwEhd P6LUx024pEZnMk2PXuTsRYADvDNJ4kcabIWCEkBHLQ5WaMPQqxajCgEDuvg2WaKQ qXd+8hdtAuc= =Dkvm -----END PGP SIGNATURE-----
Current thread:
- mSQL vulnerabilities Secure Networks Inc. (Jul 27)
- Re: mSQL vulnerabilities Stacey Son (Jul 28)
- <Possible follow-ups>
- Re: mSQL vulnerabilities David Sacerdote (Jul 28)
- Re: mSQL vulnerabilities David Sacerdote (Jul 29)
- Re: mSQL vulnerabilities Black Adder (Jul 29)