Bug #45790 Potential DoS vector: Writing of user input to log without proper formatting
Submitted: 26 Jun 2009 14:35 Modified: 3 Aug 2009 23:38
Reporter: Staale Smedseng Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.0 OS:Any
Assigned to: Staale Smedseng CPU Architecture:Any

[26 Jun 2009 14:35] Staale Smedseng
Description:
Set to private due to the remotely exploitable nature of the bug.

A suitably crafted database identifier supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV, and thereby a denial of service. The packet is printed to the log using no format string, so potential attackers can control the behavior of vprintf() by supplying their own format string.

This code is not in use in 5.1+.

How to repeat:
Modify mysql_client_test.c as given below, and execute 'mtr mysql_client_test' with the debugger of choice. The number of '%s' specifiers needed is dependent on stack contents, and may vary.

A test for COM_DROP_DB would be similar.

=== modified file 'tests/mysql_client_test.c'
--- tests/mysql_client_test.c   2009-05-05 09:07:11 +0000
+++ tests/mysql_client_test.c   2009-06-26 13:56:12 +0000
@@ -12062,6 +12062,17 @@
   myquery(rc);
 }
 
+static void test_create_db_DoS()
+{
+  int rc;
+  const char* bogus_db = "%s%s%s%s%s";
+
+  myheader("test_create_db_DoS");
+  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+}
+
 
 static void test_bug6096()
 {
@@ -16829,6 +16840,7 @@
   { "test_bug6059", test_bug6059 },
   { "test_bug6046", test_bug6046 },
   { "test_bug6081", test_bug6081 },
+  { "test_create_db_DoS" ,test_create_db_DoS },
   { "test_bug6096", test_bug6096 },
   { "test_datetime_ranges", test_datetime_ranges },
   { "test_bug4172", test_bug4172 },

Suggested fix:
=== modified file 'sql/sql_parse.cc'
--- sql/sql_parse.cc    2009-06-24 15:37:07 +0000
+++ sql/sql_parse.cc    2009-06-26 12:50:43 +0000
@@ -2096,7 +2096,7 @@
       }
       if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
        break;
-      mysql_log.write(thd,command,packet);
+      mysql_log.write(thd,command,"%s",packet);
       bzero(&create_info, sizeof(create_info));
       mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
                       &create_info, 0);
@@ -2121,7 +2121,7 @@
                    ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
        break;
       }
-      mysql_log.write(thd,command,db);
+      mysql_log.write(thd,command,"%s",db);
       mysql_rm_db(thd, db, 0, 0);
       break;
     }
[26 Jun 2009 16:49] MySQL Verification Team
Thank you for the bug report.
[1 Jul 2009 10:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77637

2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
      
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The packet is printed to the
      log using no format string, so potential attackers can control
      the behavior of vprintf() by supplying their own format
      string. A CREATE or DROP privilege would be required.
      
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Add format strings.
     @ tests/mysql_client_test.c
        New test case.
[1 Jul 2009 12:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77649

2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
            
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The database name is printed
      to the log without using a format string, so potential
      attackers can control the behavior of my_b_vprintf() by
      supplying their own format string. A CREATE or DROP privilege
      would be required.
            
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Added format strings.
     @ tests/mysql_client_test.c
        Added new test case.
[7 Jul 2009 7:52] Bugs System
Pushed into 5.0.84 (revid:joro@sun.com-20090707074938-ksah1ibn0vs92cem) (version source revid:staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu) (merge vers: 5.0.84) (pib:11)
[8 Jul 2009 13:30] Bugs System
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source revid:staale.smedseng@sun.com-20090701123204-rmcs5px8ohkcjr2r) (merge vers: 5.1.37) (pib:11)
[9 Jul 2009 7:35] Bugs System
Pushed into 5.0.84 (revid:joro@sun.com-20090707074938-ksah1ibn0vs92cem) (version source revid:staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu) (merge vers: 5.0.84) (pib:11)
[9 Jul 2009 7:36] Bugs System
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source revid:staale.smedseng@sun.com-20090701123204-rmcs5px8ohkcjr2r) (merge vers: 5.1.37) (pib:11)
[10 Jul 2009 11:21] Bugs System
Pushed into 5.4.4-alpha (revid:anozdrin@bk-internal.mysql.com-20090710111017-bnh2cau84ug1hvei) (version source revid:staale.smedseng@sun.com-20090701123423-w0q19oleq5phzgv4) (merge vers: 5.4.4-alpha) (pib:11)
[21 Jul 2009 7:25] Sergei Golubchik
CVE-2009-2446
[3 Aug 2009 23:38] Paul DuBois
Noted in 5.0.84, 5.1.37, 5.4.4 changelogs.

A suitable database identifier supplied to the COM_CREATE_DB or
COM_DROP_DB command could cause a segmentation fault, and thereby a
denial of service.
[4 Aug 2009 17:52] Paul DuBois
This affects 5.0 only.

No changelog entry for 5.1.37, 5.4.4 needed.
[17 Aug 2009 8:42] Lenz Grimmer
Now that 5.0.84 has been released, this bug should not be marked as private anymore, correct?
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:33] Bugs System
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[11 Jan 2010 22:15] James Day
We've opened bug #50227 for the Intevydis exploit. It seems to be a possible yaSSL bug. Any server without an SSL certificate so far has not been vulnerable in our testing, nor have any recent 5.0 or 5.1 versions since a yaSSL fix in 5.0.54a and 5.1.23, but testing continues and Intevydis think later versions are vulnerable. Bug #50227 is currently private and will be made public when we've fixes released for any versions that need them.