MySQL Overflow and Authentication Bugs May Let Remote Users Execute Code or Access Database Accounts
|
|
SecurityTracker Alert ID: 1005800
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 12 2002
|
Impact: Denial of service via local system, Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: e-matters
|
Version(s): 3.23.53a and prior versions; 4.0.5a and prior versions
|
Description: Several vulnerabilities were reported in MySQL. A remote user could potentially execute arbitrary code on the system. A remote user with a valid database account could gain access to other accounts on the database.
e-matters reported that two bugs in the MySQL server allow a remote authenticated user to cause the server to crash. One of those
bugs may also allow a remote user to bypass the password authentication process or execute arbitrary code on the server with the
privileges of the 'mysqld' process.
An unsigned integer vulnerability was reported in the server. When processing the COM_TABLE_DUMP
package, two characters are convertd to unsigned integers. If the characters are negative, the interger conversion process will
result in a large unsigned number. The report states that this can probably only be exploited to cause a denial of service condition,
as it is a heap-to-heap copy operation and there is no memory allocating function within the SIGSEGV handler.
An authentication
vulnerability in the COM_CHANGE_USER command was reported. This flaw is a previously disclosed bug that was only partially corrected.
A client can send a one character response as part of the challenge-response transaction to cause the server to create a one-character
expected response. A remote client can reportedly guess the correct response in 32 attempts or less, as the allowable character
set is only 32 characters.
A remote user with a valid MySQL account can access other user accounts. A local user could exploit
this to gain access to the mysql root account and access, modify, or delete the database.
According to the report, a remote user
can send a longer than expected response to trigger a stack overflow and overwrite the saved instruction pointer with data generated
by the password verification algorithm's random number generator.
On the client side, a heap overflow vulnerability was reported
in the mysaql client library. This can be triggered via a SELECT query statement (or other statements). This could allow a user
to execute arbitrary code on an application that is linked against libmysqlclient.
A read_one_row byte overwrite vulnerability
was also reported in libmysqlclient. When the client library fetches one row from the server, field sizes are not verified against
the defined boundaries. A specially crafted malicious packet can supply an arbitrary field size to overwrite an arbitrary memory
addresses with a '\0' null terminator. This could allow a remote user (with control of a database server) to execute arbitrary
code on the system, or to crash the client.
For the original e-matters advisory, see:
http://security.e-matters.de/advisories/042002.html
|
Impact: A remote user could cause the MySQL server or MySQL client application to crash. A remote user could potentially execute arbitrary
code on the server with the privileges of the database. A remote user with a valid database account could access other user accounts
on the database.
|
Solution: The vendor has released a fixed version (3.23.54), available at:
http://www.mysql.com/downloads/mysql-3.23.html
|
Vendor URL: www.mysql.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Stefan Esser <s.esser@e-matters.de>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
