BID:17780

MySQL Remote Information Disclosure and Buffer Overflow Vulnerabilities

Info

MySQL Remote Information Disclosure and Buffer Overflow Vulnerabilities

Bugtraq ID:	17780
Class:	Unknown
CVE:	CVE-2006-1516 CVE-2006-1517 CVE-2006-1518
Remote:	Yes
Local:	No
Published:	May 02 2006 12:00AM
Updated:	Jul 02 2008 08:30PM
Credit:	Stefano Di Paola <[email protected]> discovered these vulnerabilities.
Vulnerable:	Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Secure Enterprise Linux 2.0 Trend Micro InterScan VirusWall 8.0 TransSoft Broker FTP Server 8.0 TransSoft Broker FTP Server 7.0 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE Linux Enterprise Server 9 SuSE Linux Desktop 1.0 Sun Solaris 10_x86 Sun Solaris 10_sparc Sun Solaris 10.0_x86 Sun Solaris 10.0 Sun Solaris 10 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64 S.u.S.E. Linux Professional 9.2 S.u.S.E. Linux Professional 9.1 x86_64 S.u.S.E. Linux Professional 9.1 S.u.S.E. Linux Professional 9.0 x86_64 S.u.S.E. Linux Professional 9.0 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 10.1 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux AS 4 Redhat Desktop 4.0 MySQL AB MySQL 5.1.9 MySQL AB MySQL 5.0.20 MySQL AB MySQL 5.0.18 MySQL AB MySQL 5.0.4 MySQL AB MySQL 5.0.3 MySQL AB MySQL 5.0.2 MySQL AB MySQL 5.0.1 MySQL AB MySQL 5.0 .0-alpha MySQL AB MySQL 5.0 .0-0 MySQL AB MySQL 4.1.18 MySQL AB MySQL 4.1.13 MySQL AB MySQL 4.1.5 MySQL AB MySQL 4.1.4 MySQL AB MySQL 4.1.3 -beta MySQL AB MySQL 4.1.3 -beta MySQL AB MySQL 4.1.3 -0 MySQL AB MySQL 4.1.2 -alpha MySQL AB MySQL 4.1 .11 MySQL AB MySQL 4.0.26 MySQL AB MySQL 4.0.25 MySQL AB MySQL 4.0.24 MySQL AB MySQL 4.0.23 MySQL AB MySQL 4.0.21 MySQL AB MySQL 4.0.20 MySQL AB MySQL 4.0.18 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 MySQL AB MySQL 4.0.17 MySQL AB MySQL 4.0.15 MySQL AB MySQL 4.0.14 + OpenPKG OpenPKG 1.3 + OpenPKG OpenPKG Current + Trustix Secure Linux 2.0 MySQL AB MySQL 4.0.13 MySQL AB MySQL 4.0.12 MySQL AB MySQL 4.0.11 -gamma MySQL AB MySQL 4.0.11 MySQL AB MySQL 4.0.10 MySQL AB MySQL 4.0.9 -gamma MySQL AB MySQL 4.0.9 MySQL AB MySQL 4.0.8 -gamma MySQL AB MySQL 4.0.8 MySQL AB MySQL 4.0.7 -gamma MySQL AB MySQL 4.0.7 MySQL AB MySQL 4.0.6 MySQL AB MySQL 4.0.5 a MySQL AB MySQL 4.0.5 MySQL AB MySQL 4.0.4 MySQL AB MySQL 4.0.3 MySQL AB MySQL 4.0.2 MySQL AB MySQL 4.0.1 MySQL AB MySQL 4.0 .0 MySQL AB MySQL 4.1.11a MySQL AB MySQL 4.1.10a MySQL AB MySQL 4.1.0.0-alpha MySQL AB MySQL 4.1.0-0 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 3.0 sparc Debian Linux 3.0 s/390 Debian Linux 3.0 ppc Debian Linux 3.0 mipsel Debian Linux 3.0 mips Debian Linux 3.0 m68k Debian Linux 3.0 ia-64 Debian Linux 3.0 ia-32 Debian Linux 3.0 hppa Debian Linux 3.0 arm Debian Linux 3.0 alpha Debian Linux 3.0 Avaya Interactive Response 3.0 Avaya Interactive Response 2.0 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4

Not Vulnerable:	MySQL AB MySQL 5.1.10 MySQL AB MySQL 5.0.21 MySQL AB MySQL 4.1.19 MySQL AB MySQL 4.0.27 Apple Mac OS X Server 10.4.9

Discussion

MySQL Remote Information Disclosure and Buffer Overflow Vulnerabilities

MySQL is prone to multiple remote vulnerabilities:

1. A buffer-overflow vulnerability occurs because the software fails to perform sufficient boundary checks of user-supplied data before copying it to an insufficiently sized memory buffer. This issue allows remote attackers to execute arbitrary machine code in the context of affected database servers. Failed exploit attempts will likely crash the server, denying further service to legitimate users.

2. Two information-disclosure vulnerabilities occur because the software fails to sufficiently sanitize and check boundaries of user-supplied data. These issues allow remote users to gain access to potentially sensitive information that may aid in further attacks.

Exploit / POC

MySQL Remote Information Disclosure and Buffer Overflow Vulnerabilities

The following exploit code is available:

/data/vulnerabilities/exploits/my_anon_db_leak.c
/data/vulnerabilities/exploits/my_com_table_dump_exploit.c

Solution / Fix

MySQL Remote Information Disclosure and Buffer Overflow Vulnerabilities

Solution:
The vendor has released MySQL 5.0.21 to address these issues. MySQL 4.0.27, 4.1.19, and 5.1.10 are also scheduled to be released in the future.

Please see the referenced advisories for information on obtaining and applying fixes.

Apple Mac OS X Server 10.4

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.1

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.3

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.4

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.5

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.7

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.8

Apple Mac OS X v10.4.9
http://www.apple.com/support/downloads/

MySQL AB MySQL 4.0.18

Mandriva lib64mysql12-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva lib64mysql12-devel-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva libmysql12-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva libmysql12-4.0.18-1.9.M20mdk.i586.rpm
Multi Network Firewall 2.0:
http://www.mandriva.com/en/download

Mandriva libmysql12-devel-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-4.0.18-1.9.C30mdk.src.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-4.0.18-1.9.M20mdk.src.rpm
Multi Network Firewall 2.0:
http://www.mandriva.com/en/download

Mandriva MySQL-bench-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-bench-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-client-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-client-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-common-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-common-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-Max-4.0.18-1.9.C30mdk.i586.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

Mandriva MySQL-Max-4.0.18-1.9.C30mdk.x86_64.rpm
Mandriva Linux Corporate 3.0:
http://www.mandriva.com/en/download

SuSE mysql-4.0.18-32.23.i586.rpm
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mysql-4.0.18-32.2 3.i586.rpm

SuSE mysql-4.0.18-32.23.x86_64.rpm
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mysql-4.0.18- 32.23.x86_64.rpm

SuSE mysql-Max-4.0.18-32.26.i586.rpm
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mysql-Max-4.0.18- 32.26.i586.rpm

SuSE mysql-Max-4.0.18-32.26.x86_64.rpm
SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mysql-Max-4.0 .18-32.26.x86_64.rpm

MySQL AB MySQL 4.1.13

SuSE mysql-4.1.13-3.4.i586.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/mysql-4.1.13-3.4 .i586.rpm

SuSE mysql-4.1.13-3.4.ppc.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/mysql-4.1.13-3.4. ppc.rpm

SuSE mysql-4.1.13-3.4.ppc64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc64/mysql-4.1.13-3. 4.ppc64.rpm

SuSE mysql-4.1.13-3.4.x86_64.rpm
SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/mysql-4.1.13-3 .4.x86_64.rpm

Trustix mysql-4.1.15-2tr.i586.rpm
TSL 3.0 mysql
ftp://ftp.trustix.org/pub/trustix/updates

Trustix mysql-bench-4.1.15-2tr.i586.rpm
TSL 3.0 mysql
ftp://ftp.trustix.org/pub/trustix/updates

Trustix mysql-client-4.1.15-2tr.i586.rpm
TSL 3.0 mysql
ftp://ftp.trustix.org/pub/trustix/updates

Trustix mysql-devel-4.1.15-2tr.i586.rpm
TSL 3.0 mysql
ftp://ftp.trustix.org/pub/trustix/updates

Trustix mysql-libs-4.1.15-2tr.i586.rpm
TSL 3.0 mysql
ftp://ftp.trustix.org/pub/trustix/updates

Trustix mysql-shared-4.1.15-2tr.i586.rpm
TSL 3.0 mysql
ftp://ftp.trustix.org/pub/trustix/updates

MySQL AB MySQL 5.0.2

MySQL AB mysql-5.0.21.tar.gz
http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.21.tar.gz/from/ pick

MySQL AB MySQL 5.0.20

MySQL AB mysql-5.0.21.tar.gz
http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.21.tar.gz/from/ pick

References

MySQL Remote Information Disclosure and Buffer Overflow Vulnerabilities

References:

Changes in release 4.0.27 (MySQL)
Changes in release 4.1.19 (MySQL)
Changes in release 5.0.21 (MySQL)
Changes in release 5.1.10 (MySQL)
MySQL Homepage (Oracle)
RHSA-2006:0544-6 - mysql security update (Red Hat)
MySQL COM_TABLE_DUMP Information Leakage and Arbitrary command execution. (Stefano Di Paola )
MySQL Anonymous Login Handshake - Information Leakage. (Stefano Di Paola )
236703 Multiple Security Vulnerabilities May Affect MySQL 4.0.x Bundled With Sol (Sun Microsystems)
ASA-2008-187 (Avaya)