Bug #10841 Buffer overflow in "mysql" client may cause unexpected crash
Submitted: 24 May 2005 19:38 Modified: 20 Jun 2005 22:07
Reporter: Reid Borsuk Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:4.1.12 OS:Microsoft Windows (Windows)
Assigned to: Jim Winstead CPU Architecture:Any

[24 May 2005 19:38] Reid Borsuk
Description:
A three byte buffer overflow in the client functions (when reading a command from the user) may cause improper exiting of the client.

MySQL.cpp Line 960 reads:

      linebuffer[0]= (char) sizeof(linebuffer);
      line= _cgets(linebuffer);

_cgets() requires that the first byte of the input buffer be the length of the input buffer minus 3 (http://msdn.microsoft.com/library/en-us/vccore98/HTML/_crt__cgets.asp). This corresponds with the maximum length of the string that can be read by the _cgets function.

(Note that the following analysis is for version 4.1.12, named mysql-noinstall-4.1.12-win32.zip with MD5 sum of 3ed8ae0fb8aca9074a4fb8188ab18f50. Any other builds are not likely to work identically.)

This will overflow three bytes into the stack. Due to alignment, two bytes are "safe" and overflow into unallocated memory, while the terminating null character overflows into the return EIP. The function add_line() then processes this string, and allows the attacker to either leave the byte as 0x00, or change  it to 0x0A (newline). The attacker then may use the “quit” command to jump back to their EIP.

In the event the attacker attempts to jump to the instruction ending in 0x0A, the computer will attempt to read either the address 0x00000000 or 0x00000001 from memory. This will cause an exception to be raised.

In the event the attacker attempts to jump to the instruction ending in 0x00, the computer will attempt to read either the address 0x5103982D or 0x5103982E from memory. This is also within unallocated memory, and an exception will be raised.

This does not appear exploitable on recent builds of the client, therefore is not being labeled a security issue.

How to repeat:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 30 to server version: 4.1.11-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' at line 1
mysql> mysql> quit

[CRASH]

Suggested fix:
Change MySQL.cpp Line 960 to read:

      linebuffer[0]= (char) (sizeof(linebuffer)-3);
      line= _cgets(linebuffer);

(It should be noted that this fix will exacerbate another bug in the MySQL client program, labeled bug #10840)
[24 May 2005 19:57] Miguel Solorzano
I was unable to repeat the crash with 4.1.12 on XP Pro:

    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    -> AAAAAAAAAAAAA;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server ve
rsion for the right syntax to use near 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA' at line 1
mysql> quit
Bye

Is there something I am missing for to reproduce the crash ?
[24 May 2005 20:05] Reid Borsuk
I beleve you are pasting all those A's on seperate lines, from the amount of ->'s you have. Be sure that you create one single long line, the bug tracker seems to split lines at 80 characters.
[24 May 2005 20:14] Miguel Solorzano
Thank you for the feedback.
[7 Jun 2005 22:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25735
[11 Jun 2005 6:30] Jim Winstead
Fixed in 4.1.13 and 5.0.8.
[20 Jun 2005 22:07] Mike Hillyer
Documented in 4.1.13 and 5.0.8 changelogs.