Bug #45790 Potential DoS vector: Writing of user input to log without proper formatting
Submitted: 26 Jun 2009 16:35 Modified: 4 Aug 2009 1:38
Reporter: Staale Smedseng
Status: Closed
Category:Server: General Severity:S2 (Serious)
Version:5.0 OS:Any
Assigned to: Staale Smedseng Target Version:5.0
Triage: Triaged: D1 (Critical)

[26 Jun 2009 16:35] Staale Smedseng 
Description:
Set to private due to the remotely exploitable nature of the bug.

A suitably crafted database identifier supplied to COM_CREATE_DB or COM_DROP_DB can cause
a SIGSEGV, and thereby a denial of service. The packet is printed to the log using no
format string, so potential attackers can control the behavior of vprintf() by supplying
their own format string.

This code is not in use in 5.1+.

How to repeat:
Modify mysql_client_test.c as given below, and execute 'mtr mysql_client_test' with the
debugger of choice. The number of '%s' specifiers needed is dependent on stack contents,
and may vary.

A test for COM_DROP_DB would be similar.

=== modified file 'tests/mysql_client_test.c'
--- tests/mysql_client_test.c   2009-05-05 09:07:11 +0000
+++ tests/mysql_client_test.c   2009-06-26 13:56:12 +0000
@@ -12062,6 +12062,17 @@
   myquery(rc);
 }
 
+static void test_create_db_DoS()
+{
+  int rc;
+  const char* bogus_db = "%s%s%s%s%s";
+
+  myheader("test_create_db_DoS");
+  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+}
+
 
 static void test_bug6096()
 {
@@ -16829,6 +16840,7 @@
   { "test_bug6059", test_bug6059 },
   { "test_bug6046", test_bug6046 },
   { "test_bug6081", test_bug6081 },
+  { "test_create_db_DoS" ,test_create_db_DoS },
   { "test_bug6096", test_bug6096 },
   { "test_datetime_ranges", test_datetime_ranges },
   { "test_bug4172", test_bug4172 },

Suggested fix:
=== modified file 'sql/sql_parse.cc'
--- sql/sql_parse.cc    2009-06-24 15:37:07 +0000
+++ sql/sql_parse.cc    2009-06-26 12:50:43 +0000
@@ -2096,7 +2096,7 @@
       }
       if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
        break;
-      mysql_log.write(thd,command,packet);
+      mysql_log.write(thd,command,"%s",packet);
       bzero(&create_info, sizeof(create_info));
       mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
                       &create_info, 0);
@@ -2121,7 +2121,7 @@
                    ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
        break;
       }
-      mysql_log.write(thd,command,db);
+      mysql_log.write(thd,command,"%s",db);
       mysql_rm_db(thd, db, 0, 0);
       break;
     }
[26 Jun 2009 18:49] Miguel Solorzano 
Thank you for the bug report.
[1 Jul 2009 12:27] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77637

2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
      
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The packet is printed to the
      log using no format string, so potential attackers can control
      the behavior of vprintf() by supplying their own format
      string. A CREATE or DROP privilege would be required.
      
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Add format strings.
     @ tests/mysql_client_test.c
        New test case.
[1 Jul 2009 14:30] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77649

2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
            
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The database name is printed
      to the log without using a format string, so potential
      attackers can control the behavior of my_b_vprintf() by
      supplying their own format string. A CREATE or DROP privilege
      would be required.
            
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Added format strings.
     @ tests/mysql_client_test.c
        Added new test case.
[7 Jul 2009 9:52] Bugs System 
Pushed into 5.0.84 (revid:joro@sun.com-20090707074938-ksah1ibn0vs92cem) (version source
revid:staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu) (merge vers: 5.0.84)
(pib:11)
[8 Jul 2009 15:30] Bugs System 
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source
revid:staale.smedseng@sun.com-20090701123204-rmcs5px8ohkcjr2r) (merge vers: 5.1.37)
(pib:11)
[9 Jul 2009 9:35] Bugs System 
Pushed into 5.0.84 (revid:joro@sun.com-20090707074938-ksah1ibn0vs92cem) (version source
revid:staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu) (merge vers: 5.0.84)
(pib:11)
[9 Jul 2009 9:36] Bugs System 
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source
revid:staale.smedseng@sun.com-20090701123204-rmcs5px8ohkcjr2r) (merge vers: 5.1.37)
(pib:11)
[10 Jul 2009 13:21] Bugs System 
Pushed into 5.4.4-alpha
(revid:anozdrin@bk-internal.mysql.com-20090710111017-bnh2cau84ug1hvei) (version source
revid:staale.smedseng@sun.com-20090701123423-w0q19oleq5phzgv4) (merge vers: 5.4.4-alpha)
(pib:11)
[21 Jul 2009 9:25] Sergei Golubchik 
CVE-2009-2446
[4 Aug 2009 1:38] Paul DuBois 
Noted in 5.0.84, 5.1.37, 5.4.4 changelogs.

A suitable database identifier supplied to the COM_CREATE_DB or
COM_DROP_DB command could cause a segmentation fault, and thereby a
denial of service.
[4 Aug 2009 19:52] Paul DuBois 
This affects 5.0 only.

No changelog entry for 5.1.37, 5.4.4 needed.
[17 Aug 2009 10:42] Lenz Grimmer 
Now that 5.0.84 has been released, this bug should not be marked as private anymore,
correct?
[26 Aug 2009 15:46] Bugs System 
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 15:46] Bugs System 
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc)
(version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers:
5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 15:48] Bugs System 
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4)
(version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers:
5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 18:33] Bugs System 
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)
[11 Jan 23:15] James Day 
We've opened bug #50227 for the Intevydis exploit. It seems to be a possible yaSSL bug.
Any server without an SSL certificate so far has not been vulnerable in our testing, nor
have any recent 5.0 or 5.1 versions since a yaSSL fix in 5.0.54a and 5.1.23, but testing
continues and Intevydis think later versions are vulnerable. Bug #50227 is currently
private and will be made public when we've fixes released for any versions that need
them.