Debian Bug report logs - #210403
Buffer overflow in MySQL

Package: mysql-server; Maintainer for mysql-server is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>; Source for mysql-server is src:mysql-5.5.

Reported by: Christian Hammers <ch@debian.org>

Date: Thu, 11 Sep 2003 08:48:02 UTC

Severity: critical

Tags: patch, security

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: submit@bugs.debian.org
Subject: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 10:37:42 +0200
[Message part 1 (text/plain, inline)]
Package: mysql-server
Version: All 3.23.x and 4.0.x up to now.
Severity: critical
Tags: security patch

Hello

This mail was just received. I will upload a sarge package this evening.
Security team, if you see this mail (woody is affected), please confirm
and tell me if you need further help or do a DSA alone.

As many webhosters use mysql with permissions that allow users to change
their passwords themselve and use sometimes insecure programs like
phpMyAdmin which would then allow to gain a root shell, I think a DSA
is justified.

bye,

-christian-
[Message part 2 (message/rfc822, inline)]
From: Jedi/Sector One <j@c9x.org>
To: bugtraq@securityfocus.com
Subject: [bugtraq] Buffer overflow in MySQL
Date: Wed, 10 Sep 2003 23:29:56 +0159
Product : MySQL
Date    : 10/09/2003
Author  : Frank Denis <j@pureftpd.org>


   ------------------------[ Product description ]------------------------

  From the web site :

  MySQL is the world's most popular open source database, recognized for its
speed and reliability.

  Today MySQL is the most popular open source database server in the world
with more than 4 million installations powering websites, datawarehouses,
business applications, logging systems and more.

  Home page : http://www.mysql.com/


      ------------------------[ Vulnerability ]------------------------

  Passwords of MySQL users are stored in the "User" table, part of the "mysql"
database, specifically in the "Password" field.

  In MySQL 4.0.x and 3.23.x, these passwords are hashed and stored as a 16
characters long hexadecimal value, specifically in the "Password" field.

  Unfortunately, a function involved in password checking misses correct bounds
checking. By filling a "Password" field a value wider than 16 characters, a
buffer overflow will occur.


      ------------------------[ Implications ]------------------------

  Anyone with global administrative privileges on a MySQL server may execute
arbitrary code even on a host he isn't supposed to have a shell on, with the
privileges of the system account running the MySQL server.


	 ------------------------[ Details ]------------------------
	 
  The get_salt_from_password() function defined in sql/password.c takes an
arbitrary long hex password and returns an arbitrary long binary array with
the previous decoded values :

void get_salt_from_password(ulong *res,const char *password)
{
	res[0]=res[1]=0;
	if (password)
	{
		while (*password)
		{
			ulong val=0;
			uint i;
			for (i=0 ; i < 8 ; i++)
			val=(val << 4)+char_val(*password++);
			*res++=val;
		}
	}
	return;
}

  This function is called sql/sql_acl.cc to check for access control.
  
  It is passed the raw content of the Password field from the User table of
the mysql database.

  The process aborts if then length is not a multiple of 8 but this is the
only check before get_salt_from_password() is actually called.

  The overflow occurs on a local ACL_USER instance in acl_init() and
successful exploitation of that bug is trivial on some platforms. On most
Linux systems the return address needs about 444 bytes to get overwritten.

  Harmless proof of concept :
  
  > USE mysql;
  > ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
  > UPDATE User SET Password =
'123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 12345678123456781234567812345678...' WHERE User = 'abcd';
  > FLUSH PRIVILEGES;
  
  [Connection lost]
  
  mysqld_safe/safe_mysqld log :
  
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted

  MySQL log : tons of

mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong

  Confirmed on OpenBSD 3.3-RELEASE, FreeBSD 4.8-STABLE and Gentoo Linux 1.4.


    ------------------------[ Affected versions ]------------------------
	 
  All versions of MySQL up to and including 4.0.14 are likely to be
vulnerable.

  All versions of MySQL up to and including 3.0.57 are also likely to be
affected.


       ------------------------[ Workarounds ]------------------------
	 
  None.
  
  But to mitigate the impact of this kind of vulnerability never let the
server run with "root" privileges. Create a dedicated user and add the
--user=<dedicated user> command-line switch to start the daemon. Or edit
your "my.cnf" file to achieve similar results. There is no loss of
functionnality when the server runs without root privileges.


	   ------------------------[ Fix ]------------------------

  The following patch (applies fine to 4.0.14, should also work on earlier
releases with minor fuzz) fixes the bug :

--- mysql-4.0.14-old/sql/sql_acl.cc	2003-07-18 16:57:25.000000000 +0200
+++ mysql-4.0.14/sql/sql_acl.cc	2003-09-10 23:21:13.559759576 +0200
@@ -233,7 +233,7 @@
 		      "Found old style password for user '%s'. Ignoring user. (You may want to restart mysqld using --old-protocol)",
 		      user.user ? user.user : ""); /* purecov: tested */
     }
-    else if (length % 8)		// This holds true for passwords
+    else if (length % 8 || length > 16)		// This holds true for passwords
     {
       sql_print_error(
 		      "Found invalid password for user: '%s@%s'; Ignoring user",


      ------------------------[ Vendor status ]------------------------
	 
  MySQL AB has been informed of this vulnerability on Wed, 6 Aug 2003.
  
  The issue was confirmed and fixed in the developpment tree the next day.
  
  [side note: the MySQL developpment team is not only very reactive, the guys
are also extremely nice]

  MySQL 4.0.15, which includes a fix for this vulnerability and other
unrelated bugs, is now available for download from the following location :

  http://www.mysql.com/downloads/mysql-4.0.html


-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/


Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #10 received at 210403@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Christian Hammers <ch@debian.org>, 210403@bugs.debian.org
Subject: Re: Bug#210403: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 10:02:48 -0400
On Thu, Sep 11, 2003 at 10:37:42AM +0200, Christian Hammers wrote:

> This mail was just received. I will upload a sarge package this evening.
> Security team, if you see this mail (woody is affected), please confirm
> and tell me if you need further help or do a DSA alone.

The patch should be sufficient, thanks.

> As many webhosters use mysql with permissions that allow users to change
> their passwords themselve and use sometimes insecure programs like
> phpMyAdmin which would then allow to gain a root shell, I think a DSA
> is justified.

A root shell, really?  Shouldn't they only be able to gain a shell as
'mysql' (on Debian)?

So the impact would be something like:

Users who are able to change the passwords of mysql users may be able to
exploit this vulnerability to gain a shell with the privileges of the mysql
server (usually running as the 'mysql' user).

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 210403@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Matt Zimmerman <mdz@debian.org>
Cc: 210403@bugs.debian.org
Subject: Re: Bug#210403: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 16:44:27 +0200
Hi Matt

On Thu, Sep 11, 2003 at 10:02:48AM -0400, Matt Zimmerman wrote:
> > This mail was just received. I will upload a sarge package this evening.
> > Security team, if you see this mail (woody is affected), please confirm
> > and tell me if you need further help or do a DSA alone.
> 
> The patch should be sufficient, thanks.

MySQL just confirmed it to be valid to.

> > As many webhosters use mysql with permissions that allow users to change
> > their passwords themselve and use sometimes insecure programs like
> > phpMyAdmin which would then allow to gain a root shell, I think a DSA
> > is justified.
> 
> A root shell, really?  Shouldn't they only be able to gain a shell as
> 'mysql' (on Debian)?

No, on a default Debian installation only a shell as unix-user "mysql".
And even that only if the mysql-user has the privilege to alter the
main password database and change the column type of the passwort
field from char(16) to something longer, so a user who just have
the right to alter his password will not be enough (the problem is
in the password verification, one normally cannot store such long
passwords!)

> So the impact would be something like:

The original bugtraq announcement describes it quite well:
> Anyone with global administrative privileges on a MySQL server may
> execute arbitrary code even on a host he isn't supposed to have a shell 
> on, with the privileges of the system account running the MySQL server.

or
> Users who are able to [-- change the passwords of mysql users--]
> [++use the "ALTER TABLE" command on the "mysql" database ++]
> may be able to exploit this vulnerability to gain a shell with 
> the privileges of the mysql server (usually running as the 'mysql' user).

bye,

-christian-




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Guillaume Plessis <gui@moolfreet.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #20 received at 210403@bugs.debian.org (full text, mbox):

From: Guillaume Plessis <gui@moolfreet.com>
To: 210403@bugs.debian.org
Subject: Re: Bug#210403: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 16:54:07 +0200
[Message part 1 (text/plain, inline)]
Le Thu, Sep 11, 2003 at 10:02:48 -0400, Matt Zimmerman a écrit:
> On Thu, Sep 11, 2003 at 10:37:42AM +0200, Christian Hammers wrote:
> 
> > This mail was just received. I will upload a sarge package this evening.
> > Security team, if you see this mail (woody is affected), please confirm
> > and tell me if you need further help or do a DSA alone.
> 
> The patch should be sufficient, thanks.

For information, this bug has been fixed in the just-released 4.0.15
distribution

http://lists.mysql.com/list.php?list=announce&post=168

I don't know anything about 3.23. releases..

Regards

-- 
Guillaume Plessis                     <gui@moolfreet.com>
GnuPG Key-ID: BA729AD0
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Zak Greant <zak@mysql.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #25 received at 210403@bugs.debian.org (full text, mbox):

From: Zak Greant <zak@mysql.com>
To: 210403@bugs.debian.org
Subject: Buffer overflow in MySQL corrected in version 4.0.15
Date: Thu, 11 Sep 2003 14:51:00 +0000
See http://lists.mysql.com/list.php?list=announce&post=168 for full 
release announcement.

Relevant excerpt is:

   * Fixed buffer overflow in SET PASSWORD which could potentially be
   exploited by MySQL users with root privileges to execute random code 
or
   to gain shell access (thanks to Jedi/Sector One for spotting and
   reporting this one).

Cheers!
--
Zak Greant
MySQL AB Community Advocate




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #30 received at 210403@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Christian Hammers <ch@debian.org>
Cc: 210403@bugs.debian.org
Subject: Re: Bug#210403: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 10:51:46 -0400
On Thu, Sep 11, 2003 at 04:44:27PM +0200, Christian Hammers wrote:

> > Users who are able to [-- change the passwords of mysql users--]
> > [++use the "ALTER TABLE" command on the "mysql" database ++]
> > may be able to exploit this vulnerability to gain a shell with 
> > the privileges of the mysql server (usually running as the 'mysql' user).

Great, thanks.  I'll also mention that, in the default configuration, 'root'
is the only user who has this permission.  Is that correct?

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@westend.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #35 received at 210403@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@westend.com>
To: Matt Zimmerman <mdz@debian.org>
Cc: 210403@bugs.debian.org
Subject: Re: Bug#210403: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 16:53:31 +0200
On Thu, Sep 11, 2003 at 10:51:46AM -0400, Matt Zimmerman wrote:
> On Thu, Sep 11, 2003 at 04:44:27PM +0200, Christian Hammers wrote:
> 
> > > Users who are able to [-- change the passwords of mysql users--]
> > > [++use the "ALTER TABLE" command on the "mysql" database ++]
> > > may be able to exploit this vulnerability to gain a shell with 
> > > the privileges of the mysql server (usually running as the 'mysql' user).
> 
> Great, thanks.  I'll also mention that, in the default configuration, 'root'
> is the only user who has this permission.  Is that correct?

Yes.

bye,

-christian-

-- 
Christian Hammers             WESTEND GmbH  |  Internet-Business-Provider
Technik                       CISCO Systems Partner - Authorized Reseller
                              Lütticher Straße 10      Tel 0241/701333-11
ch@westend.com                D-52064 Aachen              Fax 0241/911879




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #40 received at 210403@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Guillaume Plessis <gui@moolfreet.com>, 210403@bugs.debian.org
Subject: Re: Bug#210403: Buffer overflow in MySQL
Date: Thu, 11 Sep 2003 17:13:30 +0200
On Thu, Sep 11, 2003 at 04:54:07PM +0200, Guillaume Plessis wrote:
> For information, this bug has been fixed in the just-released 4.0.15
> distribution
> http://lists.mysql.com/list.php?list=announce&post=168
> 
> I don't know anything about 3.23. releases..

According to information from Lenz Grimmer, a MySQL employee, they
are working on a new version, too. The patch is already in the
bitkeeper tree:

http://mysql.bkbits.net:8080/mysql-3.23/diffs/sql/sql_acl.cc@1.43?nav=index.html
+|ChangeSet@-8w|cset@1.1401.1.1|hist/sql/sql_acl.cc

bye,

-christian-




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#210403; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #45 received at 210403@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 210403@bugs.debian.org
Subject: CVE assignment
Date: Thu, 11 Sep 2003 17:37:07 -0400
The Common Vulnerabilities and Exposures project has assigned the name
"CAN-2003-0780" to this issue.  Please use this name in any changelogs or
announcements relating to this issue.

-- 
 - mdz



Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 210403-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 210403-done@bugs.debian.org
Subject: Closed!
Date: Fri, 3 Oct 2003 15:50:40 +0200
Argh, this version actually closes the security bug but was not
installed because exactly this critical bug prevented its installation.
Sorry for just trusting the "Accepted" installer message and not
watching the package files...

bye,

-christian-




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:37:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.