Re: MySQL < 3.23.31 Overflow [exploit] (fwd)

[Michael Widenius]

Hi! I got forwarded this 'exploit' of MySQL: Lus> Hello... Lus> Here's a exploit for this... Lus> [See attached...] Lus> Regardz, Lus> Lus Miguel Silva aka wC Lus> Member of lonoss.org and unsecurity.org Lus> http://www.lonoss.org/ Lus> http://www.unsecurity.org/ Lus> http://www.ispgaya.pt/ Student Lus> Personal WebPage at: Lus> http://paginas.ispgaya.pt/~lms/ Lus> && Lus> http://www.unsecurity.org/wC/ Lus> Personal Code at: Lus> www.unsecurity.org/wC/MyCode/ Lus> /* Lus> Linux MySQL Exploit by Luis Miguel Silva [aka wC] Lus> [EMAIL PROTECTED] Lus> 19/01/y2k+1 Lus> Compile: Lus> gcc MySQLXploit.c -o MySQLX Lus> Run with: Lus> You can specify the offset for the exploit passing it as the 1st arg... Lus> Example: ./MySQLX 0 ---> this is the default offset :] Lus> Advisorie: Lus> [from a bugtraq email] Lus> Hi, Lus> all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the Lus> server and which seems to be exploitable (ie. 4141414 in eip) Lus> Problem : Lus> An attacker could gain mysqld privileges (gaining access to all the Lus> databases) Lus> Requirements : Lus> You need a valid login/password to exploit this Lus> Solution : Lus> Upgrade to 3.23.31 Lus> Proof-of-concept code : Lus> None Lus> Credits : Lus> I'm not the discoverer of this bug Lus> The first public report was made by [EMAIL PROTECTED] via the MySQL Lus> mailing-list Lus> See the following mails for details Lus> Regards, Lus> Nicob <cut> I have looked at the 'exploit' and tested this against a 3.23.30 server, but it didn't work. The server gave nicely the error: ----------------- (/my/tmp) exploit 0 MySQL [all versions < 3.23.31] Local Exploit by [EMAIL PROTECTED] Trying to allocate memory for buffer (130 bytes)...SUCCESS! Using address : 0x41414141 Offset : 0 Buffer Size : 130 Oh k...i have the evil'buffer right here :P So...[if all went well], prepare to be r00t... Enter password: ERROR 1064 at line 1: You have an error in your SQL syntax near '^�1��F�F � ��V ̀1ۉ�@̀�����/bin/shAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' at line 1 ------------- I can't see how this particular exploit could work, as MySQL strips all not-ASCII characters from the column name and stops as the first not-ASCII character. In other words, an exploit like this could theoretically work if the assembler code only used bytes in this region, but as this particular program didn't do that... Anyway, this is just a typical example why one should be careful of not running mysqld as root, but as it's own user. Regards, Monty