| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+CewVBC=d+ukyZt9ez7REJ_9PdVcGPip8apHCZLxn3OZ2U0PQ@mail.gmail.com>
Date: Wed, 7 Oct 2015 13:44:34 +0100
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: bugtraq@...urityfocus.com
Subject: Advanced Information Security Corporation, Security Advisory
(Oracle's MYSQL v5.6.24 Latest - Buffer Overflows) Repost
===========================================================
Advanced Information Security Corporation
Security Advisory
===========================================================
a888b.
d888888b.
8P"YP"Y88
8|o||o|88
8' - .88
8`._.' Y8.
d/ `8b.
dP . Y8b.
d8:' " `::88b
d8" 'Y88b
:8P ' :888
8a. : _a88P
._/"Yaa_: .| 88P|
\ YP" `| 8P `.
/ \.___.d| .'
`--..__)888P`._.'
~ Keeping Things Simple!
MySQL v5.6.24 BUFFER OVERFLOWS
Date: 07/10/2015
Author: Nicholas Lemonias
============================================================
=========================
SUMMARY
=========================
During a manual source code audit of MYSQL Version 5.6.24, various
buffer overflow issues have been realized.
===================
TECHNICAL DETAILS
===================
root@...v8: ~# /usr/bin/mysql_plugin `perl -e 'print “A” x 9000'`
*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]
/lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
insecure call
mysql_plugin(main+0x202)[0xb752ee22]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63]
mysql_plugin(+0xa90d)[0xb752f90d]
======= Memory map: ========
b6800000-b6821000 nw-p 00000000 00:00
b6821000-b6900000 ---p 00000000 00 00
b699d000-b699e000 ---p 00000000 00:00
b699e000-b71a1000 rw-p 00000000 00 00
b71a1000-b7345000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.50
b7345000-b7347000 r-—p 001a4000 00:13 1673
/lib/i386-linux~gnu/i686/cmov/libc-2.1
9.so
b7347000-b7348000 rw-p 00la6000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.so
b7348000-b734b000 rw-p 00000000 00 00 0
b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7368000—b73ac000 r-xp 00000000 00:13 15649
/lib/i386-linux-gnu/1686/cmov/libm-2.1
9.so
bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
0xb7fdebe0 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb7caa307 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7cab9c3 in __GI_abort () at abort.c:89
#3 0xb7ce86f8 in __libc_message (do_abort=do_abort@...ry=2,
fmt=fmt@...ry=0xb7ddbe55 "*** %s ***: %s terminated\n”)
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7d762d5 in __GI___fortify_fail (
msg=msg@...ry=0xb7ddbdd6 "buffer overflow detected”)
at fortify_fail.c:31
#5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
at strcpy_chk.c:60
#7 0x80009e22 in main ()
(gdb)
(gdb) disas
Dump of assembler code for function __kernel_vsyscall:
0xb7fdebd0 <+0>: push %ecx
0xb7fdebd1 <+1>: push %edx
0xb7fdebd2 <+2>: push %ebp
0xb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: sysenter
0xb7fdebd7 <+7>: nop
0xb7fdebd8 <+8>: nop
0xb7fdebd9 <+9>: nop
0xb7fdebda <+10>: nop
0xb7fdebdb <+11>: nop
0xb7fdebdc <+12>: nop
0xb7fdebdd <+13>: nop
0xb7fdebde <+14>: int x80
=> 0xb7fdebe0 <+16>: pop %ebp
0xb7fdebe1 <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
0xb7fdebe3 <+19>: ret
End of assembler dump.
(gdb)
============================
TECHNICAL SYNOPSIS / POC #2
============================
Unsafe Use of strcpy; this can lead to a buffer overflow condition
----->
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
A user-supplied string from the command-line is copied to a fixed
length destination buffer.
-----------------[ mysql_plugin.c]-------------------------------
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
permission set:
-rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin
===============================================
MySQL V 5.6.24 VULNERABILITIES - SOURCE CODE
===============================================
1. Insecure use of sprintf
Vulnerability Description: A char* type is copied to a fixed length
destination buffer. This could lead to a buffer overflow.
Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(efbuf, "MY_REG_%s", name);
2.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
3.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(config_file, argv[i]);
4.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched null at `%.20s'", p);
5.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s'", len, p);
6.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is being copied to a fixed length destination buffer.
This could lead to a buffer overflow.
Line: 413 - Filename:
./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp
strcpy(fileName, argv[1]);
7.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s' instead", len, p);
8.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
sprintf(query,"select count(*) from `%s`", table);
9.
Insecure use of sprintf
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
sprintf(buf, "%s.conf", set);
10.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 784 - Filename:
./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp
strcpy(path, src);
11.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This, could lead to an overflow.
Line: 377 - Filename:
./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp
strcpy(path, src);
<<<
Size of PATH is PATH_MAX 256
** Apologies for the formatting of our earlier advisory. We have
reposted the information and all relevant PoC's for reproduction.
Copyright © 2015 Advanced Information Security Corporation.
Powered by blists - more mailing lists