-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Buffer Overflow in MySQL User Defined Functions AppSecInc Team SHATTER Security Advisory MYSQL05-V0002 http://www.appsecinc.com/resources/alerts/mysql/2005-002.html August 08, 2005 Risk level: LOW Credits: This vulnerability was discovered and researched by Reid Borsuk of Application Security Inc. Affected Versions: ALL Background: User-defined functions in MySQL allow a user in the database to call binary libraries on the operating system. Creating a user-defined function requires insert privileges on the mysql.func table. Details: The init_syms() function uses an unsafe string function to copy a user specified string into a stack based buffer. Due to improper sanitation this buffer is able to be overflowed, overwriting portions of the stack. This allows an attacker to write 14 bytes of arbitrary data and 8 bytes of hard coded data beyond the end of the buffer. The format of the CREATE FUNCTION statement is as follows: CREATE FUNCTION function_name RETURNS type SONAME "library_name" User specified input to the "function_name" field is limited to 64 characters. If this library can be successfully loaded by the operating system, control is then passed to init_syms(). This will attempt to copy the user string into a buffer 50 bytes in length. Hard coded strings are then copied onto the end of this string. In some older versions of MySQL this can be used to gain complete control over the EIP or copy attacker specified data to an arbitrary location. One issue of concern is because this buffer is owned by the calling function, in an environment with a stack that grows upwards, it may be possible to overwrite the EIP return or other sensitive values. Exploiting this vulnerability would require the ability to create user-defined functions. This is not typically granted to untrusted users, however given this vulnerability you should understand the ramifications of granting the ability to create user-defined functions. Workaround: Restrict access to create user-defined functions. Vendor Status: Vendor was contacted and a patch was released. Fix: MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched. These products can be found here: http://dev.mysql.com/downloads/ Links: Application Security, Inc advisory: http://www.appsecinc.com/resources/alerts/mysql/2005-002.html - -- _____________________________________________ Application Security, Inc. www.appsecinc.com AppSecInc is the leading provider of database security solutions for the enterprise. AppSecInc products proactively secure enterprise applications at more than 300 organizations around the world by discovering, assessing, and protecting the database against rapidly changing security threats. By securing data at its source, we enable organizations to more confidently extend their business with customers, partners and suppliers. Our security experts, combined with our strong support team, deliver up-to-date application safeguards that minimize risk and eliminate its impact on business. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC997K/0w1dSVRt4URAm0zAJsFxff2Iao2DYy5Lt241b0wMI1OSQCgug0w OOkeHvqgfNX6BQo0/JyJ+ds= =dRCv -----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.3 : Mon Aug 08 2005 - 18:29:02 PDT