CVE-2002-1375
CVSS7.5
发布时间 :2002-12-23 00:00:00
修订时间 :2016-10-17 22:26:30
NMCOES    

[原文]The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response.


[CNNVD]MySQL COM_CHANGE_USER密码内存破坏漏洞(CNNVD-200212-064)

        
        MySQL是一款开放源代码关系型数据库系统。
        MySQL的密码验证机制由于对客户端的应答缺少正确边界检查,远程攻击者可以利用这个漏洞破坏堆栈内存,可能以MySQL进程在系统上执行任意指令。
        由于对客户端的密码验证挑战应答缺少正确缓冲区检查,如果攻击者在客户端提供超长的应答,服务端由密码验证算法生成随机数时可能覆盖堆栈保存的指令指针,理论上在Linux下可以以MySQL进程在系统上执行任意指令。而Windows下由于不能覆盖可控制的合法的指令指针,报告声称不能利用这个漏洞执行任意指令。
        攻击者需要通过发送COM_CHANGE_USER命令利用这个漏洞,因此攻击者需要有合法数据库用户帐户来利用这个漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mysql:mysql:3.23.48MySQL MySQL 3.23.48
cpe:/a:mysql:mysql:3.23.49MySQL MySQL 3.23.49
cpe:/a:mysql:mysql:3.23.46MySQL MySQL 3.23.46
cpe:/a:mysql:mysql:3.23.47MySQL MySQL 3.23.47
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_mp3
cpe:/a:mysql:mysql:3.23.30MySQL MySQL 3.23.30
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_mp2
cpe:/a:mysql:mysql:3.23.44MySQL MySQL 3.23.44
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_mp1
cpe:/a:mysql:mysql:3.22.32MySQL MySQL 3.22.32
cpe:/a:mysql:mysql:3.23.45MySQL MySQL 3.23.45
cpe:/a:mysql:mysql:3.23.42MySQL MySQL 3.23.42
cpe:/a:mysql:mysql:3.22.30MySQL MySQL 3.22.30
cpe:/a:mysql:mysql:3.23.43MySQL MySQL 3.23.43
cpe:/a:symantec_veritas:netbackup_advanced_reporter:3.4
cpe:/a:mysql:mysql:4.0.1MySQL MySQL 4.0.1
cpe:/a:mysql:mysql:4.0.0MySQL MySQL 4.0.0
cpe:/a:mysql:mysql:3.23.9MySQL MySQL 3.23.9
cpe:/a:mysql:mysql:4.0.3MySQL MySQL 4.0.3
cpe:/a:mysql:mysql:3.23.8MySQL MySQL 3.23.8
cpe:/a:mysql:mysql:4.0.2MySQL MySQL 4.0.2
cpe:/a:mysql:mysql:3.23.40MySQL MySQL 3.23.40
cpe:/a:mysql:mysql:3.23.41MySQL MySQL 3.23.41
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_mp3
cpe:/a:mysql:mysql:3.23.3MySQL MySQL 3.23.3
cpe:/a:mysql:mysql:3.23.2MySQL MySQL 3.23.2
cpe:/a:mysql:mysql:3.23.5MySQL MySQL 3.23.5
cpe:/a:mysql:mysql:3.23.53MySQL MySQL 3.23.53
cpe:/a:mysql:mysql:3.23.10MySQL MySQL 3.23.10
cpe:/a:mysql:mysql:3.23.4MySQL MySQL 3.23.4
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_mp1
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_mp2
cpe:/a:mysql:mysql:3.23.26MySQL MySQL 3.23.26
cpe:/a:mysql:mysql:3.23.27MySQL MySQL 3.23.27
cpe:/a:mysql:mysql:3.23.24MySQL MySQL 3.23.24
cpe:/a:mysql:mysql:3.23.25MySQL MySQL 3.23.25
cpe:/a:mysql:mysql:3.23.28MySQL MySQL 3.23.28
cpe:/a:mysql:mysql:3.23.29MySQL MySQL 3.23.29
cpe:/a:mysql:mysql:3.23.51MySQL MySQL 3.23.51
cpe:/a:mysql:mysql:3.23.52MySQL MySQL 3.23.52
cpe:/a:mysql:mysql:3.23.50MySQL MySQL 3.23.50
cpe:/a:mysql:mysql:3.23.23MySQL MySQL 3.23.23
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_fp3
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_fp2
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5
cpe:/a:mysql:mysql:4.0.5aMySQL MySQL 4.0.5a
cpe:/a:mysql:mysql:3.22.26MySQL MySQL 3.22.26
cpe:/a:mysql:mysql:3.23.37MySQL MySQL 3.23.37
cpe:/a:mysql:mysql:3.23.38MySQL MySQL 3.23.38
cpe:/a:mysql:mysql:3.23.36MySQL MySQL 3.23.36
cpe:/a:mysql:mysql:3.22.29MySQL MySQL 3.22.29
cpe:/a:mysql:mysql:3.22.28MySQL MySQL 3.22.28
cpe:/a:mysql:mysql:3.23.39MySQL MySQL 3.23.39
cpe:/a:mysql:mysql:3.22.27MySQL MySQL 3.22.27
cpe:/a:mysql:mysql:3.23.53aMySQL MySQL 3.23.53a
cpe:/a:mysql:mysql:3.23.34MySQL MySQL 3.23.34
cpe:/a:mysql:mysql:3.23.31MySQL MySQL 3.23.31
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_fp2
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_fp1
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_fp3
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_fp1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1375
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1375
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-064
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000555
(UNKNOWN)  CONECTIVA  CLSA-2002:555
http://marc.info/?l=bugtraq&m=103971644013961&w=2
(UNKNOWN)  BUGTRAQ  20021212 Advisory 04/2002: Multiple MySQL vulnerabilities
http://marc.info/?l=bugtraq&m=104004857201968&w=2
(UNKNOWN)  GENTOO  GLSA-200212-2
http://marc.info/?l=bugtraq&m=104005886114500&w=2
(UNKNOWN)  BUGTRAQ  20021216 [OpenPKG-SA-2002.013] OpenPKG Security Advisory (mysql)
http://security.e-matters.de/advisories/042002.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/042002.html
http://www.debian.org/security/2002/dsa-212
(UNKNOWN)  DEBIAN  DSA-212
http://www.linuxsecurity.com/advisories/engarde_advisory-2660.html
(VENDOR_ADVISORY)  ENGARDE  ESA-20021213-033
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:087
(UNKNOWN)  MANDRAKE  MDKSA-2002:087
http://www.novell.com/linux/security/advisories/2003_003_mysql.html
(UNKNOWN)  SUSE  SUSE-SA:2003:003
http://www.redhat.com/support/errata/RHSA-2002-288.html
(UNKNOWN)  REDHAT  RHSA-2002:288
http://www.redhat.com/support/errata/RHSA-2002-289.html
(UNKNOWN)  REDHAT  RHSA-2002:289
http://www.redhat.com/support/errata/RHSA-2003-166.html
(UNKNOWN)  REDHAT  RHSA-2003:166
http://www.securityfocus.com/advisories/5269
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-008-01
http://www.securityfocus.com/bid/6375
(VENDOR_ADVISORY)  BID  6375
http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
(UNKNOWN)  TRUSTIX  2002-0086
http://xforce.iss.net/xforce/xfdb/10848
(VENDOR_ADVISORY)  XF  mysql-comchangeuser-password-bo(10848)

- 漏洞信息

MySQL COM_CHANGE_USER密码内存破坏漏洞
高危 边界条件错误
2002-12-23 00:00:00 2006-03-28 00:00:00
远程  
        
        MySQL是一款开放源代码关系型数据库系统。
        MySQL的密码验证机制由于对客户端的应答缺少正确边界检查,远程攻击者可以利用这个漏洞破坏堆栈内存,可能以MySQL进程在系统上执行任意指令。
        由于对客户端的密码验证挑战应答缺少正确缓冲区检查,如果攻击者在客户端提供超长的应答,服务端由密码验证算法生成随机数时可能覆盖堆栈保存的指令指针,理论上在Linux下可以以MySQL进程在系统上执行任意指令。而Windows下由于不能覆盖可控制的合法的指令指针,报告声称不能利用这个漏洞执行任意指令。
        攻击者需要通过发送COM_CHANGE_USER命令利用这个漏洞,因此攻击者需要有合法数据库用户帐户来利用这个漏洞。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:555)以及相应补丁:
        CLA-2002:555:MySQL
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000555

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-212-1)以及相应补丁:
        DSA-212-1:Multiple MySQL vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-212

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.dsc

        Size/MD5 checksum: 1305 26482e7b5f51fe036c9270043877483a
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz

        Size/MD5 checksum: 4296259 e3d9cb3038a2e4378c9c0f4f9d8c2d58
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.diff.gz

        Size/MD5 checksum: 84166 79faf5c0f1e6ab6c4c3b7511f9cc1e71
        Architecture independent packages:
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.3_all.deb

        Size/MD5 checksum: 1687018 e3d348a98e08bbff4085215356c5dcc7
        alpha architecture (DEC Alpha)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_alpha.deb

        Size/MD5 checksum: 790098 2d103be33a041fa8af05a6d1a8fae1fc
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_alpha.deb

        Size/MD5 checksum: 99516 c3803f9e8e090bc9755cc8502f7dd860
        arm architecture (ARM)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_arm.deb

        Size/MD5 checksum: 603710 028266a7c4c99365a8fe715fda7635b9
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_arm.deb

        Size/MD5 checksum: 87190 0f6e1c53dd71bd45ec0bfc7bdd3e92c3
        i386 architecture (Intel ia32)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_i386.deb

        Size/MD5 checksum: 585150 54c0e5b9aa43a2d4fd2137f22851243a
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_i386.deb

        Size/MD5 checksum: 86768 fe2974d4fc341c7fc5c3866636a49676
        m68k architecture (Motorola Mc680x0)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_m68k.deb

        Size/MD5 checksum: 554888 5d636134e003bdd33f6dd74e60ca6570
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_m68k.deb

        Size/MD5 checksum: 84534 47f6aa149c3b872722b5357bb962c0a7
        powerpc architecture (PowerPC)
        

- 漏洞信息 (22085)

MySQL 3.23.x/4.0.x COM_CHANGE_USER Password Memory Corruption Vulnerability (EDBID:22085)
unix remote
2002-12-12 Verified
0 Stefan Esser
N/A [点击下载]
source: http://www.securityfocus.com/bid/6375/info

MySQL is prone to a memory corruption vulnerability in the COM_CHANGE_USER command. 

Due to a lack of sufficient bounds checking for client responses to password authentication challenges, it may be possible to corrupt sensitive regions of memory. It has been reported that it is possible to overwrite the saved instruction pointer on the stack with bytes generated by the random number generator of the password verification algorithm. Theoretically, an attacker could leverage such a condition to cause execution of arbitrary code in the security context of the MySQL server process.

It is believed the attacker must be able to issue a COM_CHANGE_USER command to exploit this issue, so having access to a valid database user account may be a prerequisite for exploitation. It is not known if this condition exists when an unauthenticated user attempts to authenticate normally.

http://www.exploit-db.com/sploits/22085.tgz		

- 漏洞信息

8888
MySQL COM_CHANGE_USER Command Long Repsonse Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in MySQL. The MySQL fails to validate the password variable in the COM_CHANGE_USER command resulting in a stack overflow. With a specially crafted request, an attacker can cause overwrite the saved instruction pointer resulting in a loss of integrity.

- 时间线

2002-12-12 2002-12-03
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, MySQL AB has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
Boundary Condition Error 6375
Yes No
2002-12-12 12:00:00 2009-07-11 07:16:00
Discovery of this issue is credited to Stefan Esser <s.esser@e-matters.de>.

- 受影响的程序版本

Veritas Software NetBackup Global Data Manager 4.5 MP3
Veritas Software NetBackup Global Data Manager 4.5 MP2
Veritas Software NetBackup Global Data Manager 4.5 MP1
Veritas Software NetBackup Global Data Manager 4.5 FP3
Veritas Software NetBackup Global Data Manager 4.5 FP2
Veritas Software NetBackup Global Data Manager 4.5 FP1
Veritas Software NetBackup Global Data Manager 4.5
Veritas Software NetBackup Advanced Reporter 4.5 MP3
Veritas Software NetBackup Advanced Reporter 4.5 MP2
Veritas Software NetBackup Advanced Reporter 4.5 MP1
Veritas Software NetBackup Advanced Reporter 4.5 FP3
Veritas Software NetBackup Advanced Reporter 4.5 FP2
Veritas Software NetBackup Advanced Reporter 4.5 FP1
Veritas Software NetBackup Advanced Reporter 4.5
Veritas Software NetBackup Advanced Reporter 3.4
MySQL AB MySQL 4.0.5 a
MySQL AB MySQL 4.0.3
MySQL AB MySQL 4.0.2
MySQL AB MySQL 4.0.1
MySQL AB MySQL 4.0 .0
MySQL AB MySQL 3.23.53 a
MySQL AB MySQL 3.23.53
+ OpenPKG OpenPKG Current
+ Sun Cobalt Qube 3
MySQL AB MySQL 3.23.52
+ Conectiva Linux Enterprise Edition 1.0
+ Mandriva Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.51
MySQL AB MySQL 3.23.50
MySQL AB MySQL 3.23.49
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
MySQL AB MySQL 3.23.48
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
MySQL AB MySQL 3.23.47
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
MySQL AB MySQL 3.23.46
+ Conectiva Linux 8.0
+ OpenPKG OpenPKG 1.0
MySQL AB MySQL 3.23.45
MySQL AB MySQL 3.23.44
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
MySQL AB MySQL 3.23.43
MySQL AB MySQL 3.23.42
MySQL AB MySQL 3.23.41
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
MySQL AB MySQL 3.23.40
MySQL AB MySQL 3.23.39
+ HP SCM 3.0
MySQL AB MySQL 3.23.38
MySQL AB MySQL 3.23.37
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
MySQL AB MySQL 3.23.36
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ EnGarde Secure Linux 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
MySQL AB MySQL 3.23.34
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
MySQL AB MySQL 3.23.33
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
MySQL AB MySQL 3.23.31
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
MySQL AB MySQL 3.23.30
MySQL AB MySQL 3.23.29
MySQL AB MySQL 3.23.28
MySQL AB MySQL 3.23.27
MySQL AB MySQL 3.23.26
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
MySQL AB MySQL 3.23.25
MySQL AB MySQL 3.23.24
MySQL AB MySQL 3.23.23
MySQL AB MySQL 3.23.22
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
MySQL AB MySQL 3.23.10
MySQL AB MySQL 3.23.9
MySQL AB MySQL 3.23.8
MySQL AB MySQL 3.23.5
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.4
MySQL AB MySQL 3.23.3
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
MySQL AB MySQL 3.23.2
MySQL AB MySQL 3.22.32
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
MySQL AB MySQL 3.22.30
MySQL AB MySQL 3.22.29
MySQL AB MySQL 3.22.28
MySQL AB MySQL 3.22.27
MySQL AB MySQL 3.22.26
Miva htmlscript 3.23.32
Veritas Software NetBackup Global Data Manager 4.5 MP4
Veritas Software NetBackup Global Data Manager 4.5 FP4
Veritas Software NetBackup Advanced Reporter 4.5 MP4
Veritas Software NetBackup Advanced Reporter 4.5 FP4
MySQL AB MySQL 3.23.54
+ Sun Cobalt RaQ 550
+ Trustix Secure Linux 1.5

- 不受影响的程序版本

Veritas Software NetBackup Global Data Manager 4.5 MP4
Veritas Software NetBackup Global Data Manager 4.5 FP4
Veritas Software NetBackup Advanced Reporter 4.5 MP4
Veritas Software NetBackup Advanced Reporter 4.5 FP4
MySQL AB MySQL 3.23.54
+ Sun Cobalt RaQ 550
+ Trustix Secure Linux 1.5

- 漏洞讨论

MySQL is prone to a memory corruption vulnerability in the COM_CHANGE_USER command.

Due to a lack of sufficient bounds checking for client responses to password authentication challenges, it may be possible to corrupt sensitive regions of memory. It has been reported that it is possible to overwrite the saved instruction pointer on the stack with bytes generated by the random number generator of the password verification algorithm. Theoretically, an attacker could leverage such a condition to cause execution of arbitrary code in the security context of the MySQL server process.

It is believed the attacker must be able to issue a COM_CHANGE_USER command to exploit this issue, so having access to a valid database user account may be a prerequisite for exploitation. It is not known if this condition exists when an unauthenticated user attempts to authenticate normally.

- 漏洞利用

An exploit for this issue has been published and is circulating in the wild.

- 解决方案

EnGarde has released updated fixes. The original fixes did not address the COM_TABLE_DUMP vulnerability (BID 6368). The upgraded packages now include fixes for this vulnerability.

Gentoo Linux has released an advisory. Users who have installed dev-db/mysql-3.23.53 and earlier are urged to update their systems by issuing the following commands:

emerge rsync
emerge mysql
emerge clean

OpenPKG has released an advisory (OpenPKG-SA-2002.013) which addresses this issue. Please see the attached advisory for details on fixing this issue on systems using OpenPKG.

Conectiva Linux and Debian have released advisories. Information about obtaining and applying fixes can be found in the referenced advisories.

SuSE has released an advisory (SuSE-SA:2003:003) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Veritas has released an advisory and updated feature and maintenance packs to address this issue.

This issue has been addressed in MySQL 3.23.54.


MySQL AB MySQL 3.22.32

MySQL AB MySQL 3.23.10

MySQL AB MySQL 3.23.2

MySQL AB MySQL 3.23.22

MySQL AB MySQL 3.23.23

MySQL AB MySQL 3.23.24

MySQL AB MySQL 3.23.25

MySQL AB MySQL 3.23.26

MySQL AB MySQL 3.23.27

MySQL AB MySQL 3.23.28

MySQL AB MySQL 3.23.29

MySQL AB MySQL 3.23.3

MySQL AB MySQL 3.23.30

MySQL AB MySQL 3.23.31

MySQL AB MySQL 3.23.33

MySQL AB MySQL 3.23.34

MySQL AB MySQL 3.23.36

MySQL AB MySQL 3.23.37

MySQL AB MySQL 3.23.38

MySQL AB MySQL 3.23.39

MySQL AB MySQL 3.23.4

MySQL AB MySQL 3.23.40

MySQL AB MySQL 3.23.41

MySQL AB MySQL 3.23.42

MySQL AB MySQL 3.23.43

MySQL AB MySQL 3.23.44

MySQL AB MySQL 3.23.45

MySQL AB MySQL 3.23.46

MySQL AB MySQL 3.23.47

MySQL AB MySQL 3.23.48

MySQL AB MySQL 3.23.49

MySQL AB MySQL 3.23.5

MySQL AB MySQL 3.23.50

MySQL AB MySQL 3.23.51

MySQL AB MySQL 3.23.52

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站