COMMAND

    mSQL Server

SYSTEMS AFFECTED

    mSQL 2.0.1 and earlier are vulnerable.

PROBLEM

    Secure Networks Inc. found following vulnerability in mSQL Server.
    The  mSQL  server  software,  msqld  or msql2d, performs no length
    checking on  many of  thestrings it  manipulates.   By creating  a
    query  which  contains  a  string  longer  than the mSQL server is
    prepared to deal  with, an attacker  can overwrite the  stack, and
    cause the mSQL server to execute arbitrary code.

    A  second  vulnerability  exists  due  to  the  fact that the mSQL
    server does  not perform  a forward  DNS lookup  on the results of
    reverse DNS  lookups, allowing  users able  to spoof  hostnames to
    access the mSQL server.

    An example  of the  buffer overflows  is present  in the openTable
    function located in the table.c file:

        int openTable(table,db)
             char     *table;
             char     *db;
        {
             char     path[MAXPATHLEN];

             (void)sprintf(path,"%s/msqldb/%s/%s.dat",msqlHomeDir,db,table);
             ...

    In this example, the openTable function takes the table name,  and
    attempts to copy it,  into a buffer of  finite size on the  stack.
    The problem occurs  due to the  fact that the  mSQL server defines
    MAXPATHLEN itself, rather than obtaining it from sys/param.h,  the
    operating  system  header  file.   In  this  case,  the  value  of
    MAXPATHLEN is 160.

    In addition to the  above buffer overflows, the  username/hostname
    based access control mechanism in the msql daemon does not protect
    against an attacker with control of a DNS server:

        hp = (struct hostent *)gethostbyaddr(
             (char *)&conArray[newSock].remote.sin_addr,
             sizeof(conArray[newSock].remote.sin_addr),
             AF_INET);

    Becasuse msql2d does not do a forward lookup on the name  provided
    by the  reverse lookup  and verify  that the  addresses match,  an
    attacker with control of a DNS server can simply specify the  name
    of a valid client host, and obtain access to the mSQL database.

    Remote  individuals  can  induce  the  msqld  or msql2d to execute
    arbitrary commands.   If the  msqld or  msql2d is  run as  'root',
    then an attacker can  obtain root priviliges.   Remote individuals
    can bypass the hostname based access control included in msqld  or
    msql2d.

SOLUTION

    No official security fix  is availible.  Unofficial  unified diffs
    which fix the known the security problems in mSQL are availible at

        ftp://ftp.secnet.com/pub/patches/msql2-patches.tar.gz

    This archive contains unified diffs  to fix mSQL 2.0-rel and  mSQL
    2.0.1.  David Sacerdote has  posted a set of portability  fixes to
    the mSQL 2.0.1 patches he released earlier to:

        ftp://ftp.secnet.com/pub/patches/msql2-patches.2.tar.gz