Description:
Sent to security@ from Eric Day eday@oddments.org

Hi!

I'm working on a MySQL and Drizzle protocol testing tool, and while
testing various edge cases, I found that you can send an infinite
amount of data to mysqld process without being authenticated. This
means that any open port could be used for a DoS attack. No extra
memory is consumed, but there is significant CPU and bandwidth
consumption. This attack would be most effective on a LAN or within
the same data center, but it's possible to be used in a distributed
DoS if bandwidth and max connections are adequate.

It's easy to perform, you just send an infinite number of packets
of the maximum packet size after the server handshake packet, and
my_net_skip_rest (in sql/net_serv.cc) will gladly read as much data
as you have to give. The attached python script does just that, and
I've found it gets pipe errors on slower machines. I was able to send
over 60GB in one instance on my local network though.

In my opinion, the appropriate behavior is would be to set some maximum
limit to use in my_net_skip_rest and simply close the connection if
that is exceeded.

How to repeat:
See attached python script

Suggested fix:
In my opinion, the appropriate behavior is would be to set some maximum
limit to use in my_net_skip_rest and simply close the connection if
that is exceeded.

Verified as described using
mysql-5.5.1-m2-linux-x86_64-glibc23.tar.gz

Doesn't seem exploitable, but sends mysqld to 90% CPU.

Verified as described with
mysql-advanced-gpl-5.1.40sp1-linux-x86_64-glibc23.tar.gz

Verified as described using
mysql-enterprise-gpl-5.0.84sp1-linux-x86_64-glibc23.tar.gz

triage: setting tag to SR51MRU, SR55RC (DoS vector - 5.0+ target)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/106060

2858 Davi Arnaut	2010-04-19
      Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
      
      The server could be tricked to read packets indefinitely if it
      received a packet larger than the maximum size of one packet.
      This problem is aggravated by the fact that it can be triggered
      before authentication.
      
      The solution is to skip at least twice the maximum packet size.
      If the packet (or following packets) are larger then twice the
      maximum size, a error is returned and the connection is closed.
      Skipping is only performed for authenticated users.
     @ include/mysql_com.h
        Add skip factor. Only used in server builds.
     @ sql/net_serv.cc
        Control the amount of data that can be skipped.
        Similar behavior for client and server.
     @ tests/mysql_client_test.c
        Add test case.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/106945

2860 Davi Arnaut	2010-04-29
      Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
      
      The server could be tricked to read packets indefinitely if it
      received a packet larger than the maximum size of one packet.
      This problem is aggravated by the fact that it can be triggered
      before authentication.
      
      The solution is to no skip big packets for non-authenticated
      sessions. If a big packet is sent before a session is authen-
      ticated, a error is returned and the connection is closed.
     @ include/mysql_com.h
        Add skip flag. Only used in server builds.
     @ sql/net_serv.cc
        Control whether big packets can be skipped.

Queued to mysql-5.0-bugteam and up

Pushed into 5.0.91 (revid:joro@sun.com-20100501134604-ra243s5b389j6ttn) (version source revid:davi.arnaut@sun.com-20100429132816-ictyul6d75itek22) (merge vers: 5.0.91) (pib:16)

Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:davi.arnaut@sun.com-20100429231819-i3anwzrdasjmezvt) (merge vers: 5.1.47) (pib:16)

This is now tracked as CVE-2010-1849 on http://cve.mitre.org/

Noted in 5.0.91, 5.1.47 changelogs.

The server could be tricked into reading packets indefinitely if it
received a packet larger than the maximum size of one packet.

Workaround: set connection_timeout. Its set to 10 by default.

That is, connect_timeout.

http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_connect_timeout

Please note that if you have high security requirements for your server, you should ensure that you have appropriate firewalls in place to ensure that your server cannot be reached by potential attackers. Good practice also includes measures like having only internet-unroutable IP addresses allocated to the database server.

Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (pib:16)

Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)

Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100507161755-e2lpi9tdulcm5njq) (merge vers: 5.5.5-m3) (pib:16)

Noted in 5.5.5, 6.0.14 changelogs.

Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)

Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)

Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)

Noted in 5.1.46sp1 changelog.

Pushed into 5.1.49 (revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (version source revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (merge vers: 5.1.49) (pib:16)

Already fixed in 5.1.x.

Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)

Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)

Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)

Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)

Not present in any released 5.6.x version.

Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)

Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)

Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)

Already documented as noted above; setting back to Closed state.