Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Buffer overflow in MySQL < 3.23.31
From: Joao Gouveia <tharbad () kaotik org>
Date: Tue, 23 Jan 2001 04:29:17 -0000


----- Original Message -----
From: "Nicolas GREGOIRE" <nicolas.gregoire () 7THZONE COM>
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL < 3.23.31


all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)

Problem :
An attacker could gain mysqld privileges (gaining access to all the

Requirements :
You need a valid login/password to exploit this

Not allways, in a default instalation one can exploit like this:
mysql -ustring -e<query> , no need for a valid database, login, nor
Also, afaik, this can't easly be exploited just by using a "select
a.(buffer).a" because buffer must be part of a valid SQL query. I didn't
test it, but i supose it's true.
The real danger of this flaw, i think, is the possibility of beeing
exploited remotely.
If there is a simple php script ( for example ), that has a sql query like
"$SQL=select * from table where index=$index" ( providing that $index isn't
quoted), one can exploit using somethig like: script.php?index=a.(buffer).b

Solution :
Upgrade to 3.23.31

Proof-of-concept code :

Credits :
I'm not the discoverer of this bug
The first public report was made by tharbad () kaotik org via the MySQL
See the following mails for details

Best regards,

Joao Gouveia
tharbad () kaotik org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]