KSR[T] Advisory #10: mSQL ServerStats

[dhg () KSRT ORG (Dave G.)]

KSR[T] Security Advisories
http://www.ksrt.org
ksrt () ksrt org

---

                                                    KSR[T] Advisory #010
                                                    Date:  Feb. 15, 1999
                                                    ID #:  msql-info-010

Affected Program:    mSQL (Mini SQL) 2.0.6 and below

Operating System(s): UNIX (Not vendor specific)

Summary:             Remote attackers could potentially gain read and/or
                     access to databases by retrieving authentication
                     information that is displayed in the response to a
                     remote statistics query.

Problem Description: mSQL is a database engine (available from
                     http://www.hughes.com.au) that supports a subset of
                     the ANSI SQL query specifications.  If remote
                     access is enabled (as of 2.0.4.1 remote access is
                     disabled by default) a remote user can retrieve
                     sensitive information.

                     By sending a ServerStats request, a remote attacker
                     can view the following information about the msqld
                     process:

                     1. The connection table
                          This table is a 'finger' like display of users
                          connected to the server, which databases they
                          are accessing, what hosts they are accessing
                          the server from, and other less critical
                          pieces of information.

                          Since mSQL uses either host based and/or user
                          based authentication, this table reveals all
                          of the necessary components to access a
                          particular database.  This is only true if a
                          user is accessing a database at the time of a
                          query.

                     2. The server version
                          This allows an attacker to determine if a
                          machine is running a vulnerable version of
                          mSQL.

                     3. The current and maximum number of connections
                          These two pieces of information can be used to
                          launch an efficient denial of service attack.

                     4. The user name and user id of the msqld process
                          These two pieces of information provide
                          information about the underlying operating
                          system.


Compromise:          If host based access control is disabled, a
                     remote attacker can use the user names listed in
                     the connection table to access databases.  If host
                     based access control is enabled, a remote attacker
                     could launch a more complex attack (like DNS cache
                     poisoning) to access mSQL databases.

Notes:               We would like to thank David J. Hughes and Window
                     Snyder for their assistance with this advisory.

Patch/Fix:           The latest version of mSQL (2.0.7) scheduled for
                     release on February 15th, 1999 has disabled remote
                     statistics gathering.