KSR[T] Security Advisories http://www.ksrt.org ksrtat_private --- KSR[T] Advisory #010 Date: Feb. 15, 1999 ID #: msql-info-010 Affected Program: mSQL (Mini SQL) 2.0.6 and below Operating System(s): UNIX (Not vendor specific) Summary: Remote attackers could potentially gain read and/or access to databases by retrieving authentication information that is displayed in the response to a remote statistics query. Problem Description: mSQL is a database engine (available from http://www.hughes.com.au) that supports a subset of the ANSI SQL query specifications. If remote access is enabled (as of 2.0.4.1 remote access is disabled by default) a remote user can retrieve sensitive information. By sending a ServerStats request, a remote attacker can view the following information about the msqld process: 1. The connection table This table is a 'finger' like display of users connected to the server, which databases they are accessing, what hosts they are accessing the server from, and other less critical pieces of information. Since mSQL uses either host based and/or user based authentication, this table reveals all of the necessary components to access a particular database. This is only true if a user is accessing a database at the time of a query. 2. The server version This allows an attacker to determine if a machine is running a vulnerable version of mSQL. 3. The current and maximum number of connections These two pieces of information can be used to launch an efficient denial of service attack. 4. The user name and user id of the msqld process These two pieces of information provide information about the underlying operating system. Compromise: If host based access control is disabled, a remote attacker can use the user names listed in the connection table to access databases. If host based access control is enabled, a remote attacker could launch a more complex attack (like DNS cache poisoning) to access mSQL databases. Notes: We would like to thank David J. Hughes and Window Snyder for their assistance with this advisory. Patch/Fix: The latest version of mSQL (2.0.7) scheduled for release on February 15th, 1999 has disabled remote statistics gathering.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:57 PDT