Hi,
----- Original Message -----
From: "Nicolas GREGOIRE" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL < 3.23.31
> Hi,
>
> all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
> server and which seems to be exploitable (ie. 4141414 in eip)
>
> Problem :
> An attacker could gain mysqld privileges (gaining access to all the
> databases)
>
> Requirements :
> You need a valid login/password to exploit this
Not allways, in a default instalation one can exploit like this:
mysql -ustring -e<query> , no need for a valid database, login, nor
password.
Also, afaik, this can't easly be exploited just by using a "select
a.(buffer).a" because buffer must be part of a valid SQL query. I didn't
test it, but i supose it's true.
The real danger of this flaw, i think, is the possibility of beeing
exploited remotely.
If there is a simple php script ( for example ), that has a sql query like
"$SQL=select * from table where index=$index" ( providing that $index isn't
quoted), one can exploit using somethig like: script.php?index=a.(buffer).b
>
> Solution :
> Upgrade to 3.23.31
>
> Proof-of-concept code :
> None
>
> Credits :
> I'm not the discoverer of this bug
> The first public report was made by [EMAIL PROTECTED] via the MySQL
> mailing-list
> See the following mails for details
Best regards,
Joao Gouveia
--------------
[EMAIL PROTECTED]
