SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
MySQL Overflow and Authentication Bugs May Let Remote Users Execute Code or Access Database Accounts
SecurityTracker Alert ID:  1005800
SecurityTracker URL:  http://securitytracker.com/id/1005800
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 12 2002
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.23.53a and prior versions; 4.0.5a and prior versions
Description:   Several vulnerabilities were reported in MySQL. A remote user could potentially execute arbitrary code on the system. A remote user with a valid database account could gain access to other accounts on the database.

e-matters reported that two bugs in the MySQL server allow a remote authenticated user to cause the server to crash. One of those bugs may also allow a remote user to bypass the password authentication process or execute arbitrary code on the server with the privileges of the 'mysqld' process.

An unsigned integer vulnerability was reported in the server. When processing the COM_TABLE_DUMP package, two characters are convertd to unsigned integers. If the characters are negative, the interger conversion process will result in a large unsigned number. The report states that this can probably only be exploited to cause a denial of service condition, as it is a heap-to-heap copy operation and there is no memory allocating function within the SIGSEGV handler.

An authentication vulnerability in the COM_CHANGE_USER command was reported. This flaw is a previously disclosed bug that was only partially corrected. A client can send a one character response as part of the challenge-response transaction to cause the server to create a one-character expected response. A remote client can reportedly guess the correct response in 32 attempts or less, as the allowable character set is only 32 characters.

A remote user with a valid MySQL account can access other user accounts. A local user could exploit this to gain access to the mysql root account and access, modify, or delete the database.

According to the report, a remote user can send a longer than expected response to trigger a stack overflow and overwrite the saved instruction pointer with data generated by the password verification algorithm's random number generator.

On the client side, a heap overflow vulnerability was reported in the mysaql client library. This can be triggered via a SELECT query statement (or other statements). This could allow a user to execute arbitrary code on an application that is linked against libmysqlclient.

A read_one_row byte overwrite vulnerability was also reported in libmysqlclient. When the client library fetches one row from the server, field sizes are not verified against the defined boundaries. A specially crafted malicious packet can supply an arbitrary field size to overwrite an arbitrary memory addresses with a '\0' null terminator. This could allow a remote user (with control of a database server) to execute arbitrary code on the system, or to crash the client.

For the original e-matters advisory, see:

http://security.e-matters.de/advisories/042002.html

Impact:   A remote user could cause the MySQL server or MySQL client application to crash. A remote user could potentially execute arbitrary code on the server with the privileges of the database. A remote user with a valid database account could access other user accounts on the database.
Solution:   The vendor has released a fixed version (3.23.54), available at:

http://www.mysql.com/downloads/mysql-3.23.html

Vendor URL:  www.mysql.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 8 2003 (HP Issues Fix for HP Servicecontrol Manager) MySQL Overflow and Authentication Bugs May Let Remote Users Execute Code or Access Database Accounts
HP has described a fix for HP Servicecontrol Manager, which included a vulnerable version of the MySQL database.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC