Debian Bug report logs - #210403
Buffer overflow in MySQL

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: submit@bugs.debian.org

Subject: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 10:37:42 +0200

[Message part 1 (text/plain, inline)]

Package: mysql-server
Version: All 3.23.x and 4.0.x up to now.
Severity: critical
Tags: security patch

Hello

This mail was just received. I will upload a sarge package this evening.
Security team, if you see this mail (woody is affected), please confirm
and tell me if you need further help or do a DSA alone.

As many webhosters use mysql with permissions that allow users to change
their passwords themselve and use sometimes insecure programs like
phpMyAdmin which would then allow to gain a root shell, I think a DSA
is justified.

bye,

-christian-

[Message part 2 (message/rfc822, inline)]

From: Jedi/Sector One <j@c9x.org>

To: bugtraq@securityfocus.com

Subject: [bugtraq] Buffer overflow in MySQL

Date: Wed, 10 Sep 2003 23:29:56 +0159

Product : MySQL
Date    : 10/09/2003
Author  : Frank Denis <j@pureftpd.org>


   ------------------------[ Product description ]------------------------

  From the web site :

  MySQL is the world's most popular open source database, recognized for its
speed and reliability.

  Today MySQL is the most popular open source database server in the world
with more than 4 million installations powering websites, datawarehouses,
business applications, logging systems and more.

  Home page : http://www.mysql.com/


      ------------------------[ Vulnerability ]------------------------

  Passwords of MySQL users are stored in the "User" table, part of the "mysql"
database, specifically in the "Password" field.

  In MySQL 4.0.x and 3.23.x, these passwords are hashed and stored as a 16
characters long hexadecimal value, specifically in the "Password" field.

  Unfortunately, a function involved in password checking misses correct bounds
checking. By filling a "Password" field a value wider than 16 characters, a
buffer overflow will occur.


      ------------------------[ Implications ]------------------------

  Anyone with global administrative privileges on a MySQL server may execute
arbitrary code even on a host he isn't supposed to have a shell on, with the
privileges of the system account running the MySQL server.


	 ------------------------[ Details ]------------------------
	 
  The get_salt_from_password() function defined in sql/password.c takes an
arbitrary long hex password and returns an arbitrary long binary array with
the previous decoded values :

void get_salt_from_password(ulong *res,const char *password)
{
	res[0]=res[1]=0;
	if (password)
	{
		while (*password)
		{
			ulong val=0;
			uint i;
			for (i=0 ; i < 8 ; i++)
			val=(val << 4)+char_val(*password++);
			*res++=val;
		}
	}
	return;
}

  This function is called sql/sql_acl.cc to check for access control.
  
  It is passed the raw content of the Password field from the User table of
the mysql database.

  The process aborts if then length is not a multiple of 8 but this is the
only check before get_salt_from_password() is actually called.

  The overflow occurs on a local ACL_USER instance in acl_init() and
successful exploitation of that bug is trivial on some platforms. On most
Linux systems the return address needs about 444 bytes to get overwritten.

  Harmless proof of concept :
  
  > USE mysql;
  > ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
  > UPDATE User SET Password =
'123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 12345678123456781234567812345678...' WHERE User = 'abcd';
  > FLUSH PRIVILEGES;
  
  [Connection lost]
  
  mysqld_safe/safe_mysqld log :
  
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted

  MySQL log : tons of

mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong

  Confirmed on OpenBSD 3.3-RELEASE, FreeBSD 4.8-STABLE and Gentoo Linux 1.4.


    ------------------------[ Affected versions ]------------------------
	 
  All versions of MySQL up to and including 4.0.14 are likely to be
vulnerable.

  All versions of MySQL up to and including 3.0.57 are also likely to be
affected.


       ------------------------[ Workarounds ]------------------------
	 
  None.
  
  But to mitigate the impact of this kind of vulnerability never let the
server run with "root" privileges. Create a dedicated user and add the
--user=<dedicated user> command-line switch to start the daemon. Or edit
your "my.cnf" file to achieve similar results. There is no loss of
functionnality when the server runs without root privileges.


	   ------------------------[ Fix ]------------------------

  The following patch (applies fine to 4.0.14, should also work on earlier
releases with minor fuzz) fixes the bug :

--- mysql-4.0.14-old/sql/sql_acl.cc	2003-07-18 16:57:25.000000000 +0200
+++ mysql-4.0.14/sql/sql_acl.cc	2003-09-10 23:21:13.559759576 +0200
@@ -233,7 +233,7 @@
 		      "Found old style password for user '%s'. Ignoring user. (You may want to restart mysqld using --old-protocol)",
 		      user.user ? user.user : ""); /* purecov: tested */
     }
-    else if (length % 8)		// This holds true for passwords
+    else if (length % 8 || length > 16)		// This holds true for passwords
     {
       sql_print_error(
 		      "Found invalid password for user: '%s@%s'; Ignoring user",


      ------------------------[ Vendor status ]------------------------
	 
  MySQL AB has been informed of this vulnerability on Wed, 6 Aug 2003.
  
  The issue was confirmed and fixed in the developpment tree the next day.
  
  [side note: the MySQL developpment team is not only very reactive, the guys
are also extremely nice]

  MySQL 4.0.15, which includes a fix for this vulnerability and other
unrelated bugs, is now available for download from the following location :

  http://www.mysql.com/downloads/mysql-4.0.html


-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

Message #10 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Christian Hammers <ch@debian.org>, 210403@bugs.debian.org

Subject: Re: Bug#210403: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 10:02:48 -0400

On Thu, Sep 11, 2003 at 10:37:42AM +0200, Christian Hammers wrote:

> This mail was just received. I will upload a sarge package this evening.
> Security team, if you see this mail (woody is affected), please confirm
> and tell me if you need further help or do a DSA alone.

The patch should be sufficient, thanks.

> As many webhosters use mysql with permissions that allow users to change
> their passwords themselve and use sometimes insecure programs like
> phpMyAdmin which would then allow to gain a root shell, I think a DSA
> is justified.

A root shell, really?  Shouldn't they only be able to gain a shell as
'mysql' (on Debian)?

So the impact would be something like:

Users who are able to change the passwords of mysql users may be able to
exploit this vulnerability to gain a shell with the privileges of the mysql
server (usually running as the 'mysql' user).

-- 
 - mdz

Message #15 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: Matt Zimmerman <mdz@debian.org>

Cc: 210403@bugs.debian.org

Subject: Re: Bug#210403: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 16:44:27 +0200

Hi Matt

On Thu, Sep 11, 2003 at 10:02:48AM -0400, Matt Zimmerman wrote:
> > This mail was just received. I will upload a sarge package this evening.
> > Security team, if you see this mail (woody is affected), please confirm
> > and tell me if you need further help or do a DSA alone.
> 
> The patch should be sufficient, thanks.

MySQL just confirmed it to be valid to.

> > As many webhosters use mysql with permissions that allow users to change
> > their passwords themselve and use sometimes insecure programs like
> > phpMyAdmin which would then allow to gain a root shell, I think a DSA
> > is justified.
> 
> A root shell, really?  Shouldn't they only be able to gain a shell as
> 'mysql' (on Debian)?

No, on a default Debian installation only a shell as unix-user "mysql".
And even that only if the mysql-user has the privilege to alter the
main password database and change the column type of the passwort
field from char(16) to something longer, so a user who just have
the right to alter his password will not be enough (the problem is
in the password verification, one normally cannot store such long
passwords!)

> So the impact would be something like:

The original bugtraq announcement describes it quite well:
> Anyone with global administrative privileges on a MySQL server may
> execute arbitrary code even on a host he isn't supposed to have a shell 
> on, with the privileges of the system account running the MySQL server.

or
> Users who are able to [-- change the passwords of mysql users--]
> [++use the "ALTER TABLE" command on the "mysql" database ++]
> may be able to exploit this vulnerability to gain a shell with 
> the privileges of the mysql server (usually running as the 'mysql' user).

bye,

-christian-

Message #20 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Guillaume Plessis <gui@moolfreet.com>

To: 210403@bugs.debian.org

Subject: Re: Bug#210403: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 16:54:07 +0200

[Message part 1 (text/plain, inline)]

Le Thu, Sep 11, 2003 at 10:02:48 -0400, Matt Zimmerman a écrit:
> On Thu, Sep 11, 2003 at 10:37:42AM +0200, Christian Hammers wrote:
> 
> > This mail was just received. I will upload a sarge package this evening.
> > Security team, if you see this mail (woody is affected), please confirm
> > and tell me if you need further help or do a DSA alone.
> 
> The patch should be sufficient, thanks.

For information, this bug has been fixed in the just-released 4.0.15
distribution

http://lists.mysql.com/list.php?list=announce&post=168

I don't know anything about 3.23. releases..

Regards

-- 
Guillaume Plessis                     <gui@moolfreet.com>
GnuPG Key-ID: BA729AD0

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Zak Greant <zak@mysql.com>

To: 210403@bugs.debian.org

Subject: Buffer overflow in MySQL corrected in version 4.0.15

Date: Thu, 11 Sep 2003 14:51:00 +0000

See http://lists.mysql.com/list.php?list=announce&post=168 for full 
release announcement.

Relevant excerpt is:

   * Fixed buffer overflow in SET PASSWORD which could potentially be
   exploited by MySQL users with root privileges to execute random code 
or
   to gain shell access (thanks to Jedi/Sector One for spotting and
   reporting this one).

Cheers!
--
Zak Greant
MySQL AB Community Advocate

Message #30 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Christian Hammers <ch@debian.org>

Cc: 210403@bugs.debian.org

Subject: Re: Bug#210403: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 10:51:46 -0400

On Thu, Sep 11, 2003 at 04:44:27PM +0200, Christian Hammers wrote:

> > Users who are able to [-- change the passwords of mysql users--]
> > [++use the "ALTER TABLE" command on the "mysql" database ++]
> > may be able to exploit this vulnerability to gain a shell with 
> > the privileges of the mysql server (usually running as the 'mysql' user).

Great, thanks.  I'll also mention that, in the default configuration, 'root'
is the only user who has this permission.  Is that correct?

-- 
 - mdz

Message #35 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@westend.com>

To: Matt Zimmerman <mdz@debian.org>

Cc: 210403@bugs.debian.org

Subject: Re: Bug#210403: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 16:53:31 +0200

On Thu, Sep 11, 2003 at 10:51:46AM -0400, Matt Zimmerman wrote:
> On Thu, Sep 11, 2003 at 04:44:27PM +0200, Christian Hammers wrote:
> 
> > > Users who are able to [-- change the passwords of mysql users--]
> > > [++use the "ALTER TABLE" command on the "mysql" database ++]
> > > may be able to exploit this vulnerability to gain a shell with 
> > > the privileges of the mysql server (usually running as the 'mysql' user).
> 
> Great, thanks.  I'll also mention that, in the default configuration, 'root'
> is the only user who has this permission.  Is that correct?

Yes.

bye,

-christian-

-- 
Christian Hammers             WESTEND GmbH  |  Internet-Business-Provider
Technik                       CISCO Systems Partner - Authorized Reseller
                              Lütticher Straße 10      Tel 0241/701333-11
ch@westend.com                D-52064 Aachen              Fax 0241/911879

Message #40 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: Guillaume Plessis <gui@moolfreet.com>, 210403@bugs.debian.org

Subject: Re: Bug#210403: Buffer overflow in MySQL

Date: Thu, 11 Sep 2003 17:13:30 +0200

On Thu, Sep 11, 2003 at 04:54:07PM +0200, Guillaume Plessis wrote:
> For information, this bug has been fixed in the just-released 4.0.15
> distribution
> http://lists.mysql.com/list.php?list=announce&post=168
> 
> I don't know anything about 3.23. releases..

According to information from Lenz Grimmer, a MySQL employee, they
are working on a new version, too. The patch is already in the
bitkeeper tree:

http://mysql.bkbits.net:8080/mysql-3.23/diffs/sql/sql_acl.cc@1.43?nav=index.html
+|ChangeSet@-8w|cset@1.1401.1.1|hist/sql/sql_acl.cc

bye,

-christian-

Message #45 received at 210403@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: 210403@bugs.debian.org

Subject: CVE assignment

Date: Thu, 11 Sep 2003 17:37:07 -0400

The Common Vulnerabilities and Exposures project has assigned the name
"CAN-2003-0780" to this issue.  Please use this name in any changelogs or
announcements relating to this issue.

-- 
 - mdz

Message #50 received at 210403-done@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: 210403-done@bugs.debian.org

Subject: Closed!

Date: Fri, 3 Oct 2003 15:50:40 +0200

Argh, this version actually closes the security bug but was not
installed because exactly this critical bug prevented its installation.
Sorry for just trusting the "Accepted" installer message and not
watching the package files...

bye,

-christian-

Send a report that this bug log contains spam.