mailing list archives
wp-02-0003: MySQL Locally Exploitable Buffer Overflow
From: Matt Moore <matt () westpoint ltd uk>
Date: Wed, 02 Oct 2002 16:47:59 +0100
Westpoint Security Advisory
Title: MySQL Locally Exploitable Buffer Overflow
Risk Rating: Medium
Software: mySQL Database v3.23.49-nt
Platforms: Win32 (other platforms not tested)
Vendor URL: www.mysql.com
Author: Matt Moore <matt () westpoint ltd uk>
Date: 1st October 2002
Advisory ID#: wp-02-0003
The Win32 version of MySQL has a locally exploitable buffer overflow
condition which could allow an attacker to execute code in the context
of the SYSTEM account if MySQL is running as an NT Service (which is the
MySQL reads a configuration file,'my.ini' from from either c:\my.ini or
c:\WINNT\my.ini . The default ACL's for c:\my.ini allow the 'Everyone'
Full Control.The ACL's for c:\winnt are slightly more restrictive, but do
allow members of the 'Power Users' NT Group write access.
By supplying an overly long string for the 'datadir' parameter in
my.ini, it is
possible to overflow a buffer in mysqld-nt.exe, overwriting EIP, and
arbitrary code in the context of the SYSTEM account.
Change the entry for 'datadir' from:
and restart the mySQl service or reboot the machine.
Fixed in the 3.23.50 release of MySQL and MySQL 4.0.2
Upgrade to the latest version from www.mysql.com
This advisory is available online at:
- wp-02-0003: MySQL Locally Exploitable Buffer Overflow Matt Moore (Oct 03)