Re: Buffer overflow in MySQL < 3.23.31

[Joao Gouveia <tharbad () kaotik org>]

Hi,

----- Original Message -----
From: "Nicolas GREGOIRE" <nicolas.gregoire () 7THZONE COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL < 3.23.31


> Hi,
>
> all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
> server and which seems to be exploitable (ie. 4141414 in eip)
>
> Problem :
> An attacker could gain mysqld privileges (gaining access to all the
> databases)
>
> Requirements :
> You need a valid login/password to exploit this

Not allways, in a default instalation one can exploit like this:
mysql -ustring -e<query> , no need for a valid database, login, nor
password.
Also, afaik, this can't easly be exploited just by using a "select
a.(buffer).a" because buffer must be part of a valid SQL query. I didn't
test it, but i supose it's true.
The real danger of this flaw, i think, is the possibility of beeing
exploited remotely.
If there is a simple php script ( for example ), that has a sql query like
"$SQL=select * from table where index=$index" ( providing that $index isn't
quoted), one can exploit using somethig like: script.php?index=a.(buffer).b

> Solution :
> Upgrade to 3.23.31
>
> Proof-of-concept code :
> None
>
> Credits :
> I'm not the discoverer of this bug
> The first public report was made by tharbad () kaotik org via the MySQL
> mailing-list
> See the following mails for details

Best regards,

Joao Gouveia
--------------
tharbad () kaotik org