Tutorial - MySQL Vulnerabilities

MySQL Vulnerabilities

Updated 4/29/03
CAN 1999-0652
CAN 2002-1373
CAN 2002-1374
CAN 2002-1375
CAN 2003-0073
CAN 2003-0150

Impact

A remote attacker could crash the database service or gain administrative access to the database server.

Background

MySQL is an open-source database server available for many platforms.

The Problems

MySQL Authentication vulnerability

12/19/02
CAN 2002-1374
The MySQL server's authentication mechanism works by checking the password provided by the client, but only up to the number of characters provided by the client. Normally this does not present a problem because recent versions of MySQL require the provided password to be eight characters long. However, this safeguard is not applied to the COM_CHANGE_USER command. Thus, an authenticated database user could log in as any other user (including the root account) by correctly providing as little as one character of the correct password. Since there are only 32 possible characters, the attacker would gain access in 32 attempts or fewer.

CAN 2002-1375
Furthermore, by supplying a password which is over 16 characters, an attacker could create a stack buffer overflow, and possibly overwrite the return pointer with randomly generated data. Since the new return pointer would be random, this buffer overflow would be difficult to exploit, but not impossible on Linux systems.

MySQL 3.23.53a and earlier and MySQL 4.0 through 4.0.5a are affected by these vulnerabilities.

Modification of MySQL process ownership

4/29/03
CAN 2003-0150
The privileges with which the MySQL server runs are set in the MySQL configuration. By default, MySQL reads a configuration file called my.cnf in each data directory, which overrides the parameters present in the global configuration file, /etc/my.cnf. By creating a database and using the INSERT IN and SELECT * INTO OUTFILE SQL commands, any MySQL user could create a my.cnf file containing arbitrary parameters. By setting user to root within this file and then waiting for the MySQL server to restart, the user could cause MySQL to run with root privileges. In combination with other possible vulnerabilities, this could allow the user to gain root access to the system. MySQL prior to 3.23.56 is affected by this vulnerability.

Pointer double-free denial of service

2/11/03
CAN 2003-0073
A problem in the mysql_change_user function in MySQL versions prior to 3.23.55 could cause the same memory buffer to be deallocated twice. This could allow a remote attacker to crash the MySQL service.

Signed Integer denial of service

12/19/02
CAN 2002-1373
MySQL 3.23.53a and earlier and MySQL 4.0 through 4.0.5a are affected by a signed integer vulnerability. A negative length value could be used to cause a large amount of memory to be copied onto the heap, resulting in a crash or an endless loop of segmentation faults, leading to a denial of service.

Resolution

Upgrade to MySQL 3.x version 3.23.56 or higher, or any version higher than 4.0.5.

Where can I read more about this?

This authentication and signed integer vulnerabilities were reported in E-Matters Security Advisory 04/2002.

The double-free vulnerability was reported in the MySQL 3.23.55 release notes.

The process ownership modification vulnerability was posted to Bugtraq.