Home page logo
/

bugtraq logo Bugtraq mailing list archives

wp-02-0003: MySQL Locally Exploitable Buffer Overflow
From: Matt Moore <matt () westpoint ltd uk>
Date: Wed, 02 Oct 2002 16:47:59 +0100

Westpoint Security Advisory

Title:             MySQL Locally Exploitable Buffer Overflow
Risk Rating:       Medium
Software:          mySQL Database v3.23.49-nt
Platforms:         Win32 (other platforms not tested)
Vendor URL:        www.mysql.com
Author:            Matt Moore <matt () westpoint ltd uk>
Date:              1st October 2002
Advisory ID#:      wp-02-0003
CVE#               CAN-2002-0969

Overview:
=========
The Win32 version of MySQL has a locally exploitable buffer overflow condition which could allow an attacker to execute code in the context of the SYSTEM account if MySQL is running as an NT Service (which is the default).

Details:
========

MySQL reads a configuration file,'my.ini' from from either c:\my.ini or
c:\WINNT\my.ini . The default ACL's for c:\my.ini allow the 'Everyone' group
Full Control.The ACL's for c:\winnt are slightly more restrictive, but do
allow members of the 'Power Users' NT Group write access.

By supplying an overly long string for the 'datadir' parameter in my.ini, it is possible to overflow a buffer in mysqld-nt.exe, overwriting EIP, and hence executing
arbitrary code in the context of the SYSTEM account.

E.g.

Change the entry for 'datadir' from:

datadir=C:/mysql/data

to:

datadir=C:/AAAAAA...AAAA

and restart the mySQl service or reboot the machine.

Vendor Response:
================

Fixed in the 3.23.50 release of MySQL and MySQL 4.0.2

Patch Information:
==================

Upgrade to the latest version from www.mysql.com

This advisory is available online at:

www.westpoint.ltd.uk/advisories/wp-02-0003.txt





  By Date           By Thread  

Current thread:
  • wp-02-0003: MySQL Locally Exploitable Buffer Overflow Matt Moore (Oct 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault