Advanced Information Security Corporation, Security Advisory (MYSQL- v5.6.24 Buffer Overflows)

From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Advanced Information Security Corporation, Security Advisory (MYSQL- v5.6.24 Buffer Overflows)
Date:


 ===========================================================
                                 Advanced Information Security Corporation
                                                      Security Advisory

===========================================================

              a888b.
             d888888b.
             8P"YP"Y88
             8|o||o|88
             8' -  .88
             8`._.' Y8.
            d/      `8b.
           dP   .    Y8b.
          d8:'  "  `::88b
         d8"         'Y88b
        :8P    '      :888
         8a.   :     _a88P
       ._/"Yaa_:   .| 88P|
       \    YP"    `| 8P  `.
       /     \.___.d|    .'
       `--..__)888P`._.'


                           ~ Keeping Things Simple!



MySQL v5.6.24 BUFFER OVERFLOWS


Date: 07/10/2015

Author: Nicholas Lemonias

============================================================


========================
SUMMARY
=========================

During a manual source code audit of MYSQL Version 5.6.24, various
buffer overflow issues have been realized.



===================
TECHNICAL DETAILS
===================


root@priv8: ~# /usr/bin/mysql_plugin \u20ac\u02dcperl -e \u20ac\u02dcprint \u20ac\u0153X\u20ac x 9000"

*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]
/lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
   insecure call
mysql_plugin(main+0x202)[0xb752ee22]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63]
mysql_plugin(+0xa90d)[0xb752f90d]
======= Memory map: ========
b6800000-b6821000 nw-p 00000000 00:00
b6821000-b6900000 ---p 00000000 00 00
b699d000-b699e000 ---p 00000000 00:00
b699e000-b71a1000 rw-p 00000000 00 00
b71a1000-b7345000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.50

b7345000-b7347000 r-\u20ac\u201dp 001a4000 00:13 1673
/lib/i386-linux~gnu/i686/cmov/libc-2.1
9.so

b7347000-b7348000 rw-p 00la6000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.so

b7348000-b734b000 rw-p 00000000 00 00 0

b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7368000\u20ac\u201db73ac000 r-xp 00000000 00:13 15649
/lib/i386-linux-gnu/1686/cmov/libm-2.1
9.so
bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]

Program received signal SIGABRT, Aborted.
Oxb7fdebe0 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7cab9c3 in __GI_abort () at abort.c:89
#3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\n\u20ac)
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7d762d5 in __GI___fortify_fail (
msg=msg@entry=0xb7ddbdd6 "buffer overflow detected\u20ac)
at fortify_fail.c:31
#5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
at strcpy_chk.c:60
#7 0x80009e22 in main ()

(gdb)



(gdb) disas
Dump of assembler code for function __kernel_vsyscall:

0xb7fdebd0 <+0>: push %ecx
0xb7fdebd1 <+1>: push %edx
Oxb7fdebd2 <+2>: push %ebp
Oxb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: sysenter
Oxb7fdebd7 <+7>: nop

Oxb7fdebd8 <+8>: nop

0xb7fdebd9 <+9>: nop

Oxb7fdebda <+10>: nop
Oxb7fdebdb <+11>: nop
Oxb7fdebdc <+12>: nop
Oxb7fdebdd <+13>: nop
Oxb7fdebde <+14>: int x80
=> Oxb7fdebe0 <+16>: pop %ebp
Oxb7fdebe1 <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
Oxb7fdebe3 <+19>: ret
End of assembler dump.

(gdb)


============================
TECHNICAL SYNOPSIS / POC #2
============================

Unsafe Use of strcpy; this can lead to a buffer overflow condition


----->
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]

A user-supplied string from the command-line is copied to a fixed
length destination buffer.


-----------------[ mysql_plugin.c]-------------------------------

Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);


permission set:

-rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin

===============================================
MySQL V 5.6.24  VULNERABILITIES - SOURCE CODE
===============================================


1. Insecure use of sprintf


Vulnerability Description: A char*  type is copied to a fixed length
destination  buffer. This could lead to a buffer overflow.

Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c

sprintf(efbuf, "MY_REG_%s", name);

2.
 Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.

Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);

3.
 Unsafe Use of strcpy  could  lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.

Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(config_file, argv[i]);

4.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched null at `%.20s'", p);

5.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s'", len, p);

6.
 Unsafe Use of strcpy  could  lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is being copied to a fixed length destination buffer.
This could lead to a buffer overflow.
Line: 413 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp
strcpy(fileName, argv[1]);

7.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s' instead", len, p);

8.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
sprintf(query,"select count(*) from `%s`", table);


9.
Insecure use of sprintf
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
sprintf(buf, "%s.conf", set);


10.
 Unsafe Use of strcpy could  lead to an overflow condition.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 784 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp
strcpy(path, src);


11.
 Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This, could lead to an overflow.
Line: 377 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp
strcpy(path, src);
<<<
Size of PATH is PATH_MAX 256





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.