The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mysql Vulnerabilities

Discussion in 'General Discussion' started by Myacen, Dec 12, 2002.

  1. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    A client posted this on our forums this morning

    [quote:4c916fe6d4]
    e-matters GmbH
    www.e-matters.de

    -= Security Advisory =-



    Advisory: Multiple MySQL vulnerabilities
    Release Date: 2002/12/12
    Last Modified: 2002/12/12
    Author: Stefan Esser [s.esser@e-matters.de]

    Application: MySQL &= 3.23.53a, &= 4.0.5a
    Severity: Several vulnerabilities within (lib)MySQL could
    allow (remote) compromise of client and/or server.
    Risk: Medium to critical
    Vendor Status: Vendor released MySQL 3.23.54
    Reference: http://security.e-matters.de/advisories/042002.html



    Overview:

    We have discovered two flaws within the MySQL server that can be used
    by any MySQL user to crash the server. Furthermore one of the flaws can
    be used to bypass the MySQL password check or to execute arbitrary code
    with the privileges of the user running mysqld.

    We have also discovered an arbitrary size heap overflow within the mysql
    client library and another vulnerability that allows to write '\0' to any
    memory address. Both flaws could allow DOS attacks against or arbitrary
    code execution within anything linked against libmysqlclient.


    Details:

    While auditing the MySQL sourcetree we discovered several bugs within
    the MySQL client and server that are listed below:


    +++ SERVER +++ COM_TABLE_DUMP - Signed Integer Vulnerability

    When handling the COM_TABLE_DUMP package MySQL & 4.x takes two chars
    from the packet, casts them directly to unsigned integers and uses
    them as length parameters for memcpy. Obviously negative values within
    the chars will turn into very big unsigned numbers. Because this is a
    heap to heap copy operation and there is no memory allocating function
    within the SIGSEGV handler we strongly believe this bug can only be used
    for denial of service attacks. Depending on the packet mysqld will
    directly crash or hang in an endless loop of segmentation faults.
    This was tested against Windows, Linux and FreeBSD systems.


    +++ SERVER +++ COM_CHANGE_USER - Password Length Vulnerability

    In February 2000 Robert van der Meulen discovered a flaw within the
    main password authentication system of MySQL: The MySQL challenge
    response algorithm creates an expected response with exactly the
    length of the response provided by the client. So if the client sends
    only a one char response MySQL will check only one byte. But this
    means it is possible to give the correct response with only 32 tries
    (because the charset is only 32 chars big). When this bug was fixed
    in 2000 the MySQL authors simply added a check in the server that the
    response must be 8 chars long. However they forgot to add this check
    to the COM_CHANGE_USER command, too. So it is still possible for an
    attacker with a valid mysql-account to compromise the other accounts
    that are allowed to login from the same host. For a local user this
    means he can break into the mysql root account and so compromise all
    databases. This is especially dangerous in a shared environment or if
    the root user is allowed to login from other hosts than localhost.
    While the attacker can supply a one byte response to break into the
    other accounts he can also send an oversized one. If the response is
    longer than 16 chars the internal created expected answer overflows
    a stack buffer. If the response is long enough it is possible to
    overwrite the saved instruction pointer with bytes that are generated
    by the random number generator of the password verification algorithm.
    While this sounds hard or impossible to exploit, we successfully
    exploited this bug on our linux maschines. Due to the fact that mysql
    restarts on crash you have unlimited tries. Because of the limited
    set of characters generated by the random number generator we strongly
    believe that this bug is not exploitable on Windows, because it
    is not possible to overwrite the instruction pointer with valid
    controllable addresses.


    +++ CLIENT +++ libmysqlclient read_rows Overflow

    When the MySQL client library receives answer rows from the server it
    wants to copy the answers into another buffer. Therefore it loops
    through the returned fields and copies them to the other location.
    This is done without actually checking if the stored field sizes are
    within the destination buffer boundaries. Additionally there is also a
    terminating '\0' added to the end of all fields without checking for
    enough space within the destination buffer. Due to the fact that this
    bug gets already triggered by a simple SELECT query anything that is
    linked against libmysql is potentially vulnerable. Due to the nature
    of this bug it is trivial to use it as denial of service attack against
    the client applications (A negative fieldsize will do the job). If it
    possible to use this overflow to execute code on the client system
    is different from application to application. It depends mainly on the
    fact if malloc() overflows are exploitable on that particular system
    and if the application allows enough control over the heap structure
    by triggering different execution paths.


    +++ CLIENT +++ libmysqlclient read_one_row Byte Overwrittes

    When the MySQL client library fetchs one row from the MySQL server it
    loops through the fields to remember pointers to the field values.
    The field sizes are trusted and not checked against out of boundary
    conditions. After remembering the pointer the previous field gets
    zero terminated. A malformed packet can supply any field size and so
    overwrite some arbitrary memory address with a '\0'. An invalid address
    will of course crash the client. Because the address that is written to
    is arbitrary (maybe hard to supply because it must be supplied as delta)
    all clients that make use of fetching the answer row by row are most
    probably vulnerable to arbitrary code execution exploits.


    Finally it must be mentioned that an attacker can of course use a
    combination of the described attacks to break into a system or to get
    access to privileges he normaly does not own. f.e. it is possible for
    a local user to crash the server with the COM_TABLE_DUMP bug (if he
    cannot takeover the root account with the COM_CHANGE_USER bug) and
    then bind a fake server to the MySQL port 3306. And with a fake server
    he can exploit the libmysqlclient overflow. Another scenario would be
    an attacker that tries to exploit his favourite mod_scripting language
    to takeover the webserver by connecting to an external fake server...


    Proof of Concept:

    e-matters is not going to release an exploit for these vulnerabilities
    to the public.


    Vendor Response:

    03. December 2002 - Vendor was contacted via email.
    04. December 2002 - Vendor informs me that bugs are fixed and that
    they started building new packages.
    12. December 2002 - Vendor has released MySQL 3.23.54 which fixes these
    vulnerabilites.


    Recommendation:

    We suggest anyone using MySQL to upgrade to a new or patched version
    as soon as possible.


    GPG-Key:

    http://security.e-matters.de/gpg_key.asc

    pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
    Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6


    Copyright 2002 Stefan Esser. All rights reserved.
    [/quote:4c916fe6d4]
     
  2. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    heads up Nick.

    Is this going into the updates on /scripts/upcp ?

    Andy
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    [quote:4391e8e6d7][i:4391e8e6d7]Originally posted by goal[/i:4391e8e6d7]

    heads up Nick.

    Is this going into the updates on /scripts/upcp ?

    Andy[/quote:4391e8e6d7]


    And if does can we get a &heads up& before hand? I'd be really p.o.'d if this caused sites to die in the middle of the night.
     
  4. TheVoice

    TheVoice Well-Known Member

    Joined:
    Feb 7, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    mysql updates are done through buildapache not a WHM upgrade. I&m sure nick has already put it into the new buildapache so I would suggest running /scripts/easyapache to upgrade.
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    I thought only the mod connects for sql were done through buildapache. Almost all things to do with mysql come from upcp, from the updates.cpanel.net server.
     
  6. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    Actually the voice the current version 3.**.53a was done via upcp
     
  7. ozzi4648

    ozzi4648 Guest

    Updates to mysql is not done thru buildapache.sea. It is done thru upcp. I know this because i saw mysql update on my server one day long after i had done my last buildapache.sea update.
     
  8. BlueBeBe

    BlueBeBe Member

    Joined:
    Aug 14, 2001
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    So is there a posibility to upgade MySQL now?
     
  9. bdraco

    bdraco Guest

    [quote:a508a0c376][i:a508a0c376]Originally posted by BlueBeBe[/i:a508a0c376]

    So is there a posibility to upgade MySQL now?[/quote:a508a0c376]

    Run

    /scripts/updatenow
    /scripts/sysup

    to get the update.
     
  10. joana

    joana Well-Known Member

    Joined:
    Sep 29, 2001
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    [quote:15b2dba7cb][i:15b2dba7cb]Originally posted by bdraco[/i:15b2dba7cb]

    [quote:15b2dba7cb][i:15b2dba7cb]Originally posted by BlueBeBe[/i:15b2dba7cb]

    So is there a posibility to upgade MySQL now?[/quote:15b2dba7cb]

    Run

    /scripts/updatenow
    /scripts/sysup

    to get the update.
    [/quote:15b2dba7cb]
    I got S101 and ran the above.. MySQl did not upgrade.. ??
     
  11. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    Do you remember what was your previous version? If yes do mysql -V and it will show you the current version. If the output is 3.23.54 then I believe that you're ok(upgrade done).
     
  12. Chuck

    Chuck Member

    Joined:
    Aug 15, 2001
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Looks like that isn't working yet for RH 6.2. While running /scripts/sysup I got this:

    Retrieving http://updates.cpanel.net/pub/sysup//6.2/MySQL-client/MySQL-client-3.23.53a-1.i386.rpm
    Preparing... ########################################### [100%]
    1:MySQL-client ########################################### [100%]

    Naturally, after it completed I get this:
    [~]# mysql -V
    mysql Ver 11.18 Distrib 3.23.53a, for pc-linux-gnu (i686)

    Any chance of getting that updated soon?
     
  13. Danks

    Danks Active Member

    Joined:
    Oct 10, 2001
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    The MySQL rpms (at least the mysql-shared) for the new version are build against glibc 2.2 . RH 6.2 servers generally will be running glibc 2.1. I was not able to build any rpms for 6.2 servers on a glibc 2.1 server with out an error at the end. You can force the rpms to install, but it probably would be best to grab the tar.gz from mysql.com and build it manually for now.
     
  14. Bulldog

    Bulldog Registered

    Joined:
    Dec 20, 2002
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    When will it work for RH 6.2?
    Thanks.
     
  15. Bulldog

    Bulldog Registered

    Joined:
    Dec 20, 2002
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    It still doesn't work for servers using RH 6.2...
    The mention of RedHat Linux 6.2 should be removed from the list of platform support status.
     
  16. TheSpidre

    TheSpidre Active Member

    Joined:
    Mar 10, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Are these updates required for mySQL 4.0.13?

    cPanel.net Support Ticket Number:
     
  17. carlgm

    carlgm Well-Known Member

    Joined:
    Mar 25, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    No look at the date of post. ;)

    cPanel.net Support Ticket Number:
     
  18. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    Oops..sorry
     
    #18 MikeMc, Sep 24, 2003
    Last edited: Sep 24, 2003
Loading...

Share This Page