Bug #33814 Pre-auth buffer-overflow in mySQL through yaSSL
Submitted: 11 Jan 8:56 Modified: 22 Jan 16:33
Reporter: Sergei Golubchik
Status: Closed
Category:Server Severity:S3 (Non-critical)
Version:5.0+ OS:Any
Assigned to: Sergei Golubchik Target Version:5.0+
Tags: Security
Triage: D1 (Critical)

[11 Jan 8:56] Sergei Golubchik 
Description:
quoting http://securityvulns.com/Sdocument794.html

"
From:     Luigi Auriemma <aluigi_(at)_autistici.org>
Date:     04.01.2008
Subject:  Pre-auth buffer-overflow in mySQL through yaSSL

The following is a proof-of-concept for testing the buffer-overflow
which affects yaSSL <= 1.7.5 on mySQL servers, any version, included the
latest 6.0.3:

 http://aluigi.org/poc/mysqlo.zip

The vulnerability is exploitable before authentication so the only
requirements for testing it are the usage of SSL on the server and
naturally having an IP address with access to the database.

By default mySQL uses yaSSL (1.6.0) for avoiding licences conflicts,
anyway if the test server has been compiled with specific OpenSSL
support it is NOT vulnerable.

---
Luigi Auriemma
http://aluigi.org
"

How to repeat:
see http://aluigi.org/poc/mysqlo.zip
[11 Jan 9:01] Sergei Golubchik 
according to http://dev.mysql.com/tech-resources/articles/security_vulnerabilities.html

it's Severity A.
Exploitable, unauthenticated user gains access or crashes the server.
Perhaps exploitable, arbitrary code execution.
[11 Jan 9:50] Sergei Golubchik 
all three attacks work
[11 Jan 9:57] Sergei Golubchik 
CVE-2008-0226
[11 Jan 12:40] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40904

ChangeSet@1.2504, 2008-01-11 12:34:12+01:00, serg@janus.mylan +4 -0
  Bug#33814 - yassl problems
[11 Jan 13:20] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40907

ChangeSet@1.2490, 2008-01-11 13:20:03+01:00, serg@janus.mylan +3 -0
  Bug#33814 - yassl problems
[11 Jan 14:49] Sergei Golubchik 
pushed into 5.0.54a, 5.1.23, 6.0.4-alpha
[12 Jan 11:19] Sergei Golubchik 
reported and fixed upstream:
http://sourceforge.net/forum/message.php?msg_id=4715728
[16 Jan 15:29] Paul DuBois 
What is the actual effect of this problem? It can be exploited to perform remote code
execution, or crash the server?
[16 Jan 15:33] Daniel Fischer 
It's actually three independent vulnerabilities in the yassl code. At least one of them is
likely to allow remote code execution without prior authentication. The minimum impact is
a crash, again without authentication. 

On the upside, it only affects people that a) use SSL and b) run their mysqld instances
accessible from outside.
[16 Jan 15:46] Paul DuBois 
Noted in 5.0.54a, 5.1.23, 6.0.4 changelogs.

yaSSL was subject to a pre-authentication buffer-overflow exploit
that could lead to remote code execution or a server crash. The
exploit requires a server with yaSSL enabled and TCP/IP connections
enabled. The exploit does not apply to OpenSSL.
[22 Jan 0:41] Kolbe Kegel 
The patch for this bug does not appear to address CVE-2008-0227
[22 Jan 9:56] Sergei Golubchik 
it does fix CVE-2008-0227 too
[22 Jan 14:40] Sergei Golubchik 
below is the text I suggested for the alert (not necessarily the one that was finally
used):

Recently three vulnerabilities in yassl were discovered, they could lead
to crash or execution of unauthorized code. MySQL is affected too, when
it's built with yassl (not OpenSSL) and SSL is enabled in the server
(HAVE_SSL variable is "YES"). There is no need to have valid MySQL
account credentials to exploit the bug. The proof-of-concept exploit is
freely available in the Internet. These vulnerabilities are fixed in
MySQL 5.0.54a, 5.1.23, 6.0.4. Everybody with a vulnerable configuration
is recommended to upgrade *immediately*.

It lacks cve references, though.
[22 Jan 16:33] Paul DuBois 
Noted in 5.0.50sp1a, 5.0.54a, 5.1.23, 6.0.4 changelogs.

Three vulnerabilities in yaSSL versions 1.7.5 and earlier were
discovered that could lead to a server crash or execution of
unauthorized code. The exploit requires a server with yaSSL enabled
and TCP/IP connections enabled, but does not require valid MySQL
account credentials. The exploit does not apply to OpenSSL.

The proof-of-concept exploit is freely available on the Internet.
Everyone with a vulnerable MySQL configuration is advised to upgrade
immediately.
[24 Jan 12:03] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41199

ChangeSet@1.2658, 2008-01-24 12:08:04+01:00, tomas@whalegate.ndb.mysql.com +3 -0
  Bug#33814 - yassl problems
  (recommit)
[14 Feb 21:46] Joerg Bruehe 
Just for the record:

This fix is also contained in 5.0.51a
(which is not checked by the commit trigger, so there is no automatic entry about that).
[20 Feb 17:02] Bugs System 
Pushed into 5.1.24-rc
[20 Feb 17:04] Bugs System 
Pushed into 6.0.5-alpha
[25 Feb 16:59] Bugs System 
Pushed into 5.1.24-rc
[25 Feb 17:04] Bugs System 
Pushed into 5.0.58
[25 Feb 17:05] Bugs System 
Pushed into 6.0.5-alpha