exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mysqlExec.txt

mysqlExec.txt
Posted May 5, 2006
Authored by Stefano Di Paola | Site wisec.it

MySQL server versions 5.0.20 and below suffer from information leakage and arbitrary command execution flaws.

tags | advisory, arbitrary
SHA-256 | 73926f323fd235433143abd52ed6b9430e45c62875f010bf2cd9188857a7813d

mysqlExec.txt

Change Mirror Download
~.oOOo.   MySQL COM_TABLE_DUMP  .oOOo.~

Information Leakage and Arbitrary command execution
==============================

- Summary:

MySQL Server has an information leakage flaw, if a malicious client
sends a specific forged packet.
Moreover some particular input can crash the server by
overwriting the stack, which could lead to remote server compromise.


.The information Leakage (<=5.0.20, <= 4.0.26, <= 4.1.18, <= 5.1.?)-

Abstract:
An authenticated user could read random memory from MySQL server, by
taking advantage of a non checked packet length.


.The server compromise (<=5.0.20 - yes, only 5.x branch - 5.1.x not
tested) -

Abstract:
An authenticated user could remotely execute arbitrary commands by
taking advantage of a stack overflow.


A Proof of Concept is Attached for all these issues.
Tested on: Debian 3.1 - IA32.

A little Note:
To take advantage of these flaws an attacker should have direct access
to MySQL server communication layer (port 3306 or unix socket).
But if used in conjuction with some web application flaws
(i.e. php code injection) an attacker could use socket programming
(i.e. php sockets) to gain access to that layer.

====================================================

== Description - The COM_TABLE_DUMP Information Leakage:

Author: Stefano Di Paola
Vulnerable: Mysql <= 4.0.26, 4.1.18,5.0.20
Type of Vulnerability: Local/Remote - Information Leakage
Tested On : Debian 3.1 - IA32.
Vendor Status: Notified on April, 25th 2006, Confirmed on April, 26th
2006, New versions released on 2nd May 2006.
Fixed: Update to 4.0.27, 4.1.19, 5.0.21, 5.1.10 versions.


COM_TABLE_DUMP, as described in MySQL manual is
"used by slave server to get master table"

A deep look on it shows that MySQL server waits for a forged packet
in the following way:

packlen ,0x00 ,0x00 ,0x00 ,COM_TABLE_DUMP(0x13)

and then:

dblen, db_name , tbllen , tblname


the extracted code is:
sql/sql_parse.cc: line: ~1589

case COM_TABLE_DUMP:
{
char *db, *tbl_name;
uint db_len= *(uchar*) packet;
uint tbl_len= *(uchar*) (packet + db_len + 1);

statistic_increment(thd->status_var.com_other, &LOCK_status);
thd->enable_slow_log= opt_log_slow_admin_statements;
db= thd->alloc(db_len + tbl_len + 2);
if (!db)
{
my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
break;
}
tbl_name= strmake(db, packet + 1, db_len)+1;
strmake(tbl_name, packet + db_len + 2, tbl_len);

mysql_table_dump(thd, db, tbl_name, -1);
break;

}


Packet should be something like this:
03 00 00 00 13 1 73 2f 1 74

to ask for table 't' on db 's'.

But as you can see there is no check for packet, so
if we craft a packet like this:

03 00 00 00 13 len 73

we will get an error response

like this:
z^D#42S02Table 's.^D#42S02Table 's.z^D#42S02Table 's.' doesn't
exist'NULL'' doesn't ' doesn't exist

depending on len value and memory content.

what happens?
Here:
tbl_len = *(uchar*) (packet + db_len + 1);

takes some value beyond packet len and then with:

strmake(tbl_name, packet + db_len + 2, tbl_len);

memory content is copied by tbl_len in tbl_name or until it find a
'\0'

so when this random name is not found Server will send back an error
with some random internal memory content.

This, of course can expose parts of queries and or response executed by
some previously logged user.

The Vendor fix:

bugs are fixed in 4.0.27, 4.1.19, 5.0.21, 5.1.10.


====================================================

- Description - The COM_TABLE_DUMP server compromise:

Author: Stefano Di Paola
Vulnerable: Mysql <= 5.0.20 - yes, only 5.x branch
Type of Vulnerability: Local/Remote - Input Validation - Server
compromise
Tested On : Debian 3.1 - IA32.
Vendor Status: Notified on April, 25th 2006, Confirmed on April, 26th
2006, New versions released on 2nd May 2006.
Fixed: Update to 4.0.27, 4.1.19, 5.0.21, 5.1.10 versions.

With the same previous vulnerability, a malicious (authenticated) user
could remotely execute arbitrary commands.

Let's see how:

On sql/sql_base.cc line: ~1090:

TABLE *open_table(THD *thd, TABLE_LIST *table_list, MEM_ROOT *mem_root,
bool *refresh, uint flags)
{
reg1 TABLE *table;
char key[MAX_DBKEY_LENGTH];
uint key_length;
char *alias= table_list->alias;
HASH_SEARCH_STATE state;
DBUG_ENTER("open_table");
DBUG_PRINT("info", ("table_list:%x thd:%x %s",
table_list,thd,table_list->alias));
/* find a unused table in the open table cache */
if (refresh)
*refresh=0;

/* an open table operation needs a lot of the stack space */
if (check_stack_overrun(thd, STACK_MIN_SIZE_FOR_OPEN, (char *)&alias))
return 0;

if (thd->killed)
DBUG_RETURN(0);
key_length= (uint) (strmov(strmov(key, table_list->db)+1,
table_list->table_name)-key)+1;
int4store(key + key_length, thd->server_id);
int4store(key + key_length + 4, thd->variables.pseudo_thread_id);


By sending a triple of commands,

1. A select with the payload.

2-3. Two COM_TABLE_DUMP packets:

0x03, 0x00, 0x00, 0x00, 0x13, 0x02 , 0x73

that is db_len=2 and tbl_len is a memory value beyond the packet,

the two 'strmov' will, as the third COM_TABLE_DUMP packet is received by
the server, overwrite a lot of memory, and a good part of the stack
too...

The rest is kind of hacking to get the stack be aligned for jumping to
the right address..
so i won't go deep in this technique (a lot of gdb helped very much).


To get this exploit work we need to know one address:

the thread struct address (thd).

We should know table_list address too, but i found mine is always
0x1f548 far from thd,so is automatically computed.

We need these address, because they are overwrited too, and the
shellcode depends by
table_list->alias address.

Of course there will be more sofisticated approaches,
but, hey, this was done as a Poc not as a ready run-n-crack
program for kiddies. :)


The Vendor fix:

bugs are fixed in 4.0.27, 4.1.19, 5.0.21, 5.1.10.

You can download them on http://dev.mysql.com/downloads/


============

==COM_TABLE_DUMP poc :

my_com_table_dump_exploit.c

You can compile :

gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c
-Lmysql-5.0.20/lib/mysql/
-lmysqlclient -o my_exploit

and then

my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s
socket]|[-h host][-p port]][-x]

-H: this Help;
-i: Information leakage exploit (shows the content of MySql Server
Memory)
-x: shows c/s communication output in hexadecimal
-t: hexadecimal table_list struct address (by default we try to find it
automatically)
-a: hexadecimal thread struct address (look at the error log to see
something like: thd=0x8b1b338)
-u: mysql username (anonymous too ;)
-p: mysql userpass (if you need it)
-s: the socket path if is a unix socket
-h: hostname or IP address
-P: port (default 3306)


Example_1 - Information leakage:

my_exploit -s socketpath -u username -i

Example_2 - Remote Shell on port 2707:

my_exploit -h 127.0.0.1 -u username -a 0x8b1f468

and then on another shell

$ nc 127.0.0.1 2707
id
uid=78(mysql) gid=78(mysql) groups=78(mysql)
^D
$


Regards,
Stefano

--

......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close