MySQL Bugs: #9148: Denial of Service

Bug #9148	Denial of Service
Submitted:	12 Mar 2005 18:54	Modified:	23 Jun 2005 2:31
Reporter:	Luca Ercoli	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server	Severity:	S2 (Serious)
Version:	4.1.XX/4.0.XX/5.0.XX	OS:	Windows (Windows)
Assigned to:	Reggie Burnett	CPU Architecture:	Any

Description:
Package: MySQL Database Server for Windows
Version(s): 4.1.9 (Maybe also prior versions are vulnerable)
Vulnerability Type: Denial of Service

Vulnerability Description:
================

A vulnerability exist in the way application handle requests
containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN).
This flaw allows an authenticaded user with at least one of those
privileges on *.*:

- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT

to cause the service to fail.

How to repeat:
1- Create an user account:

(connected as 'root')

use mysql; 
INSERT INTO user (Host,User,Password) VALUES('%','customer',PASSWORD('customer'));

2- Grant to him one or more privileges reported above:

(connected as 'root')

GRANT CREATE TEMPORARY TABLES ON *.* TO 'customer'@'%';
flush privileges;

3- Connect to server using new account and 'use' the database 'LPT1':

(connected as 'customer')
use LPT1;

Thank you for the bug report. I will back with the call stack from
latest BK source.

I noticed that the crash happens on release servers i.e.: mysqld-nt.exe
and the debug server or return an error as database unknown or the
client hangs. Below the call stack of release server 4.1.11;

>	mysqld-nt.exe!_my_vsnprintf()  + 0x130	C
 	mysqld-nt.exe!net_printf()  + 0x92	C++
 	mysqld-nt.exe!mysql_change_db()  + 0x196	C++
 	mysqld-nt.exe!dispatch_command()  + 0xfb	C++
 	mysqld-nt.exe!do_command()  + 0xa7	C++
 	mysqld-nt.exe!_handle_one_connection()  + 0x1ed	C++
 	mysqld-nt.exe!_pthread_create()  + 0xcb	C
 	mysqld-nt.exe!__beginthread()  + 0xce	
 	ntdll.dll!7c9106eb() 	
 	kernel32.dll!7c80b50b() 	
 	ntdll.dll!7c9106eb() 	
 	kernel32.dll!7c8399f3()

My own testing shows USE LPT1; and USE PRN; to be the only server
crashers. NUL, CON, COM1, and AUX do not crash the server, but actually
report the database successfully changed.

It's CAN-2005-0799

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/24584

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25161

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25190

Fixed in 4.1.13 and 5.0.7 trees

Noted in 4.1.13, 5.0.7 changelogs.

The problem still exists using the "official" 5.0.7-beta binaries (reproducible on different WinXP Home machines). 
With 'bk changes' in a 5.0 tree the fixes can be seen (prior the clone for the 5.0.7 build was made), but in the ChangeLog shipped with the 5.0.7-beta package no reference to the fix could be found.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/26261

Fixed (again) in 4.1.13 and 5.0.8

Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented in 4.1.13 and 5.0.8 changelogs; included ref to CAN-2005-0799; closed.