Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Buffer overflow in MySQL < 3.23.31
From: Joao Gouveia <tharbad () kaotik org>
Date: Tue, 23 Jan 2001 04:29:17 -0000

Hi,

----- Original Message -----
From: "Nicolas GREGOIRE" <nicolas.gregoire () 7THZONE COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL < 3.23.31


Hi,

all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)

Problem :
An attacker could gain mysqld privileges (gaining access to all the
databases)

Requirements :
You need a valid login/password to exploit this

Not allways, in a default instalation one can exploit like this:
mysql -ustring -e<query> , no need for a valid database, login, nor
password.
Also, afaik, this can't easly be exploited just by using a "select
a.(buffer).a" because buffer must be part of a valid SQL query. I didn't
test it, but i supose it's true.
The real danger of this flaw, i think, is the possibility of beeing
exploited remotely.
If there is a simple php script ( for example ), that has a sql query like
"$SQL=select * from table where index=$index" ( providing that $index isn't
quoted), one can exploit using somethig like: script.php?index=a.(buffer).b


Solution :
Upgrade to 3.23.31

Proof-of-concept code :
None

Credits :
I'm not the discoverer of this bug
The first public report was made by tharbad () kaotik org via the MySQL
mailing-list
See the following mails for details

Best regards,

Joao Gouveia
--------------
tharbad () kaotik org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]