Bugtraq mailing list archives
Re: Buffer overflow in MySQL < 3.23.31
From: Joao Gouveia <tharbad () kaotik org>
Date: Tue, 23 Jan 2001 04:29:17 -0000
Hi, ----- Original Message ----- From: "Nicolas GREGOIRE" <nicolas.gregoire () 7THZONE COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Thursday, January 18, 2001 5:44 PM Subject: Buffer overflow in MySQL < 3.23.31
Hi, all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the server and which seems to be exploitable (ie. 4141414 in eip) Problem : An attacker could gain mysqld privileges (gaining access to all the databases) Requirements : You need a valid login/password to exploit this
Not allways, in a default instalation one can exploit like this: mysql -ustring -e<query> , no need for a valid database, login, nor password. Also, afaik, this can't easly be exploited just by using a "select a.(buffer).a" because buffer must be part of a valid SQL query. I didn't test it, but i supose it's true. The real danger of this flaw, i think, is the possibility of beeing exploited remotely. If there is a simple php script ( for example ), that has a sql query like "$SQL=select * from table where index=$index" ( providing that $index isn't quoted), one can exploit using somethig like: script.php?index=a.(buffer).b
Solution : Upgrade to 3.23.31 Proof-of-concept code : None Credits : I'm not the discoverer of this bug The first public report was made by tharbad () kaotik org via the MySQL mailing-list See the following mails for details
Best regards, Joao Gouveia -------------- tharbad () kaotik org
Current thread:
- Buffer overflow in MySQL < 3.23.31 Nicolas GREGOIRE (Jan 19)
- Re: Buffer overflow in MySQL < 3.23.31 Joao Gouveia (Jan 23)