Re: MySQL < 3.23.31 Overflow [exploit] (fwd)

[Michael Widenius <monty () mysql com>]

Hi!

I got forwarded this 'exploit' of MySQL:

Lus> Hello...
Lus> Here's a exploit for this...
Lus> [See attached...]

Lus> Regardz,
Lus> Lus Miguel Silva aka wC

Lus> Member of lonoss.org and unsecurity.org
Lus> http://www.lonoss.org/
Lus> http://www.unsecurity.org/
Lus> http://www.ispgaya.pt/ Student

Lus> Personal WebPage at:
Lus> http://paginas.ispgaya.pt/~lms/
Lus> &&
Lus> http://www.unsecurity.org/wC/

Lus> Personal Code at:
Lus> www.unsecurity.org/wC/MyCode/

Lus> /*

Lus>  Linux MySQL Exploit by Luis Miguel Silva [aka wC]
Lus>  lms () ispgaya pt
Lus>  19/01/y2k+1

Lus>  Compile:

Lus>    gcc MySQLXploit.c -o MySQLX

Lus>  Run with:

Lus>    You can specify the offset for the exploit passing it as the 1st arg...

Lus>    Example: ./MySQLX 0 ---> this is the default offset :]

Lus>  Advisorie: 
Lus>  [from a bugtraq email]

Lus>  Hi,

Lus>  all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
Lus>  server and which seems to be exploitable (ie. 4141414 in eip)

Lus>  Problem :
Lus>  An attacker could gain mysqld privileges (gaining access to all the
Lus>  databases)

Lus>  Requirements :
Lus>  You need a valid login/password to exploit this

Lus>  Solution :
Lus>  Upgrade to 3.23.31

Lus>  Proof-of-concept code :
Lus>  None

Lus>  Credits :
Lus>  I'm not the discoverer of this bug
Lus>  The first public report was made by tharbad () kaotik org via the MySQL
Lus>  mailing-list
Lus>  See the following mails for details

Lus>  Regards,
Lus>  Nicob

<cut>

I have looked at the 'exploit' and tested this against a 3.23.30
server, but it didn't work.  The server gave nicely the error:

-----------------
(/my/tmp) exploit 0

MySQL [all versions < 3.23.31] Local Exploit by lms () ispgaya pt

Trying to allocate memory for buffer (130 bytes)...SUCCESS!
Using address : 0x41414141
Offset        : 0
Buffer Size   : 130
Oh k...i have the evil'buffer right here :P
So...[if all went well], prepare to be r00t...
Enter password:
ERROR 1064 at line 1: You have an error in your SQL syntax near '^\x891\xC0\x88F\x89F
                                                                         \xB0
                                                                          \x89\xF3\x8D\x8DV
                                                                               
\xCD\x801\xDB\x89\xD8@\xCD\x80蒂\xFF\xFF\xFF/bin/shAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' at line 1

-------------

I can't see how this particular exploit could work, as MySQL strips
all not-ASCII characters from the column name and stops as the first
not-ASCII character.  In other words, an exploit like this could
theoretically work if the assembler code only used bytes in this
region, but as this particular program didn't do that...

Anyway, this is just a typical example why one should be careful of
not running mysqld as root, but as it's own user.

Regards,
Monty