Bugtraq mailing list archives
KSR[T] Advisory #10: mSQL ServerStats
From: dhg () KSRT ORG (Dave G.)
Date: Mon, 15 Feb 1999 04:56:24 -0500
KSR[T] Security Advisories http://www.ksrt.org ksrt () ksrt org --- KSR[T] Advisory #010 Date: Feb. 15, 1999 ID #: msql-info-010 Affected Program: mSQL (Mini SQL) 2.0.6 and below Operating System(s): UNIX (Not vendor specific) Summary: Remote attackers could potentially gain read and/or access to databases by retrieving authentication information that is displayed in the response to a remote statistics query. Problem Description: mSQL is a database engine (available from http://www.hughes.com.au) that supports a subset of the ANSI SQL query specifications. If remote access is enabled (as of 2.0.4.1 remote access is disabled by default) a remote user can retrieve sensitive information. By sending a ServerStats request, a remote attacker can view the following information about the msqld process: 1. The connection table This table is a 'finger' like display of users connected to the server, which databases they are accessing, what hosts they are accessing the server from, and other less critical pieces of information. Since mSQL uses either host based and/or user based authentication, this table reveals all of the necessary components to access a particular database. This is only true if a user is accessing a database at the time of a query. 2. The server version This allows an attacker to determine if a machine is running a vulnerable version of mSQL. 3. The current and maximum number of connections These two pieces of information can be used to launch an efficient denial of service attack. 4. The user name and user id of the msqld process These two pieces of information provide information about the underlying operating system. Compromise: If host based access control is disabled, a remote attacker can use the user names listed in the connection table to access databases. If host based access control is enabled, a remote attacker could launch a more complex attack (like DNS cache poisoning) to access mSQL databases. Notes: We would like to thank David J. Hughes and Window Snyder for their assistance with this advisory. Patch/Fix: The latest version of mSQL (2.0.7) scheduled for release on February 15th, 1999 has disabled remote statistics gathering.
Current thread:
- KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- [SECURITY] New versions of cfengine fixes symlink attack Wichert Akkerman (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)