BID:23911

MySQL IF Query Handling Remote Denial Of Service Vulnerability

Info

MySQL IF Query Handling Remote Denial Of Service Vulnerability

Bugtraq ID:	23911
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-2583
Remote:	Yes
Local:	No
Published:	Mar 09 2007 12:00AM
Updated:	Mar 19 2015 08:25AM
Credit:	Neil Kettle is credited with the discovery of this vulnerability.
Vulnerable:	Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Trustix Secure Linux 3.0.5 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10 SP1 SuSE Suse Linux Enterprise Desktop 10 SP1 SuSE Linux Desktop 1.0 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc SuSE Linux 10.0 x86-64 SuSE Linux 10.0 x86 SuSE Linux 10.0 ppc S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 rPath rPath Linux 1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux 5 Server Pardus Linux 2007.1 MySQL AB MySQL 5.0.39 MySQL AB MySQL 5.0.38 MySQL AB MySQL 5.0.37 MySQL AB MySQL 5.0.36 MySQL AB MySQL 5.0.33 MySQL AB MySQL 5.0.32 MySQL AB MySQL 5.0.27 MySQL AB MySQL 5.0.24 MySQL AB MySQL 5.0.22 -1-0.1 MySQL AB MySQL 5.0.22 MySQL AB MySQL 5.0.21 MySQL AB MySQL 5.0.20 MySQL AB MySQL 5.0.19 MySQL AB MySQL 5.0.18 MySQL AB MySQL 5.0.4 MySQL AB MySQL 5.0.3 MySQL AB MySQL 5.0.2 MySQL AB MySQL 5.0.1 MySQL AB MySQL 5.0 .0-alpha MySQL AB MySQL 5.0 .0-0 MySQL AB MySQL 5.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0

Not Vulnerable:	MySQL AB MySQL 5.0.40

Discussion

MySQL IF Query Handling Remote Denial Of Service Vulnerability

MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.

An attacker can exploit this issue to crash the application, denying access to legitimate users.

NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be through legitimate means or by exploiting other latent SQL-injection vulnerabilities.

Versions prior to MySQL 5.0.40 are vulnerable.

Exploit / POC

MySQL IF Query Handling Remote Denial Of Service Vulnerability

The following proof-of-concept statement is available:

SELECT id from example WHERE id IN(1, (SELECT IF(1=0,1,2/0)));

Solution / Fix

MySQL IF Query Handling Remote Denial Of Service Vulnerability

Solution:
The vendor has released MySQL 5.0.40 to address this issue. Please see the references for more information.

MySQL AB MySQL 5.0