[UNIX]MySQL Charset Truncation Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



MySQL Charset Truncation Vulnerability
------------------------------------------------------------------------


SUMMARY

A vulnerability in web applications that utilize MySQL allows attackers to
use invalid characters (UTF-8/GBK) or white spaces which are truncated to
bypass different web application mechanisms, mainly those used for
authentication. The following describes why this happens.

DETAILS

We found that there is a interesting feature in MySQL database,when you
are using UTF-8, GBK or other charsets. This feature may make your
application insecure. Stefen Esser shows some attack manners of MySQL in
his
<http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/> paper, in which he issues the SQL Column Truncation vulnerability. The application is a forum where new users can register The administrator's name is known e.g. 'admin' MySQL is used in the default mode.

There is no application restriction on the length of new user names. The
database column username is limited to 16 characters. Although the
application restrict the length of the username, we can bypass it in the
following example:
<?php
$user=$_REQUEST['user'];

mysql_connect("localhost", "root", "") or
die("Could not connect: " . mysql_error());
mysql_select_db("test");
mysql_query("SET names utf8");
$result = mysql_query("SELECT * from test_user where user='$user'");
if(trim($user)=='' or strlen($user)>20 ){
die("Input user Invalid");
}
if(@mysql_fetch_array($result, MYSQL_NUM)) {
die("already exist");
}
else {
$sql="insert test_user values ('$user')";
mysql_query($sql);
echo "$user register OK!";
}
mysql_free_result($result);
?>

Read the code here:
$result = mysql_query("SELECT * from test_user where user='$user'");

If the attacker input a username 'admin z', and the
sql will be like this:
SELECT * FROM user WHERE username='admin z'

And the application will check the length of username with the following
code:
if(trim($user)=='' or strlen($user)>20 ){
die("Input user Invalid");
}

The attack will failed because the length of the username 'admin
z' is greater then 20. But it will not end here, attacker can
input username 'admin0xc1zzz', and the sql will be like this:
SELECT * FROM user WHERE username='admin0xc1zzz'

This pass the application's logic,when the insert command executes:
insert test_user values ('admin0xc1zzz')

Because the table is created in charset UTF-8, the 0xc1 is not a valid
UTF-8 character, it will be stripped, stripping also the next characters.
Causing the attacker to get the user "admin";

As you see, when MySQL works with UTF-8, the invalid data will be striped
,but the webapplication doesn't know this, it works at binary. The
difference between web application and database causes a vulnerability.


ADDITIONAL INFORMATION

The information has been provided by <mailto:root@xxxxxxxxx> Web Sec.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [REVS] Blind Injection in MySQL Databases (via BENCHMARK)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MySQL is not an easy database for Blind SQL Injection: ... inside the query itself. ... we find an injection vulnerability that is not ...
    (Securiteam)
  • [EXPL] MySQL Authentication Bypass Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An authentication vulnerability was reported in our previous article, ... MySQL Authentication ... # break the username string into chars and rebuild it ...
    (Securiteam)
  • [NT] MySQL UDF Multiple Vulnerabilities (Directory Traversal, DoS, Arbitrary Library Including, Buff
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... length validation allow attackers to execute arbitrary code using MySQL ... Improper directory separator checking, allow attacker to perform ... MySQL attempts to filter execution of arbitrary libraries by requiring any ...
    (Securiteam)
  • [EXPL] MySQL Authentication Bypass Client Patch Proof Of Concept Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MySQL Authentication ... A proof of concept patch for the MySQL client program is ... The diff patch can only be used against the latest alpha version ...
    (Securiteam)
  • [UNIX] MySQL Insecure Temporary File Handling
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... "The MySQL database server is the world's most ... MySQL handle temporary files in an unsafe way while creating new database, ... - Vendor notified ...
    (Securiteam)