Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

MySQL 3.23.54a can be crased with a exploit for 3.23.53

0 views
Skip to first unread message

Dennis Kruyt

unread,
Jan 21, 2003, 8:46:11 AM1/21/03
to
Hi,

When I try the hoagie_mysql exploit from http://void.at/releases.html
on a 3.23.54a MySQL server (witch sould be safe) then i can crash the
database with this.

How did I do it?

I start hoagie_mysql with a valid db user (not root). Then press ctrl-c
(abort) and start the tool again. Now the tool has reported that the
attack has failed. But the MySQL db is restarted if i look in the error
log and some normal connectie to the database then will fail. I have
tried it on several server with success.

###

packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq
connecting to [localhost] as [qwerty] ... ok
sending one byte requests with user [root] ...

[CTRL-C]

packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq
connecting to [localhost] as [qwerty] ... ok
sending one byte requests with user [root] ...
attack failed

### Mysql.err log:

030121 12:36:16 mysqld restarted
030121 12:36:17 InnoDB: Started
/opt/zx/mysql/libexec/mysqld: ready for connections
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this
binary
or one of the libraries it was linked against is corrupt, improperly
built,
or misconfigured. This error can also be caused by malfunctioning
hardware.
We will try our best to scrape up some info that will hopefully help
diagnose
the problem, but since we have already crashed, something is definitely
wrong
and this may fail

key_buffer_size=3D16773120
record_buffer=3D131072
sort_buffer=3D524280
max_used_connections=3D0
max_connections=3D100
threads_connected=3D1
It is possible that mysqld could use up to
key_buffer_size + (record_buffer + sort_buffer)*max_connections =3D =
80379
K
bytes of memory
Hope that's ok, if not, decrease some variables in the equation

Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Stack range sanity check OK, backtrace follows:
0x80c46b4
0x40022f54
0x4014847a
0x40148074
0x829039e
0x829086d
0x80af85d
0x80c9c26
Stack trace seems successful - bottom reached
Please read http://www.mysql.com/doc/U/s/Using_stack_trace.html and
follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at (nil) is invalid pointer
thd->thread_id=3D2

Successfully dumped variables, if you ran with --log, take a look at the
details of what thread 2 did to cause the crash. In some cases of
really
bad corruption, the values shown above may be invalid

The manual page at http://www.mysql.com/doc/C/r/Crashing.html contains
information that should help you find out what is causing the crash

Number of processes running now: 0
030121 12:37:56 mysqld restarted
030121 12:37:57 InnoDB: Started
/opt/zx/mysql/libexec/mysqld: ready for connections


packages:~# mysqld --version
mysqld Ver 3.23.54 for pc-linux on i686


mysql> select * from db;
+--------------+--------+--------+-------------+-------------+----------
---+-------------+-------------+-----------+------------+---------------
--+------------+------------+
| Host | Db | User | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Grant_priv |
References_priv | Index_priv | Alter_priv |
+--------------+--------+--------+-------------+-------------+----------
---+-------------+-------------+-----------+------------+---------------
--+------------+------------+
| 192.168.1.76 | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
| localhost | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
| packages | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
+--------------+--------+--------+-------------+-------------+----------
---+-------------+-------------+-----------+------------+---------------
--+------------+------------+
3 rows in set (0.00 sec)

mysql> select * from user;
+--------------+--------+------------------+-------------+-------------+
-------------+-------------+-------------+-----------+-------------+----
-----------+--------------+-----------+------------+-----------------+--
----------+------------+
| Host | User | Password | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv
| Index_priv | Alter_priv |
+--------------+--------+------------------+-------------+-------------+
-------------+-------------+-------------+-----------+-------------+----
-----------+--------------+-----------+------------+-----------------+--
----------+------------+
| localhost | root | 5fcc735428e45938 | Y | Y |
Y | Y | Y | Y | Y | Y
| Y | Y | Y | Y | Y |
Y |
| packages | root | 5fcc735428e45938 | Y | Y |
Y | Y | Y | Y | Y | Y
| Y | Y | Y | Y | Y |
Y |
| 192.168.1.76 | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
| localhost | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
| packages | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
+--------------+--------+------------------+-------------+-------------+
-------------+-------------+-------------+-----------+-------------+----
-----------+--------------+-----------+------------+-----------------+--
----------+------------+
5 rows in set (0.00 sec)


Ragards,
=20
Dennis Kruyt,

---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail <mysql-thr...@lists.mysql.com>
To unsubscribe, e-mail <mysql-unsubscribe-##L=3D##H...@lists.mysql.com>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Sergei Golubchik

unread,
Jan 21, 2003, 10:35:55 AM1/21/03
to
Hi!

On Jan 21, Dennis Kruyt wrote:
> Hi,
>
> When I try the hoagie_mysql exploit from http://void.at/releases.html
> on a 3.23.54a MySQL server (witch sould be safe) then i can crash the
> database with this.
>
> How did I do it?
>
> I start hoagie_mysql with a valid db user (not root). Then press ctrl-c
> (abort) and start the tool again. Now the tool has reported that the
> attack has failed. But the MySQL db is restarted if i look in the error
> log and some normal connectie to the database then will fail. I have
> tried it on several server with success.

You should've contacted us (using secu...@mysql.com) first
so we'd be able to release fixed version :(

Anyway, this is fixed. 3.23.55 will be released soon.
For impatients, there's our bk tree, available publicaly

Thanks for bugreport.

Regards,
Sergei

--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <se...@mysql.com>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
<___/

---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail <mysql-thr...@lists.mysql.com>

To unsubscribe, e-mail <mysql-unsubscribe-mysql=freebsd.csie...@lists.mysql.com>

0 new messages