Bug #17667 An attacker has the opportunity to bypass query logging.
Submitted: 23 Feb 2006 11:13 Modified: 10 May 2006 16:44
Reporter: 4yka 4yka Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.18,5.0-bk OS:Any (all)
Assigned to: Chad MILLER CPU Architecture:Any

[23 Feb 2006 11:13] 4yka 4yka
Description:
In case the " log" parameter is On, server saves all  database queries in file.
Attacker can use NULL symbol in query to bypass logging.
All data after NULL symbol will cut off and attacker's queries won't be logged.

How to repeat:
mysql_connect(...);
mysql_query('/*'.chr(0).'*/ SELECT * FROM table');
[23 Feb 2006 16:48] Shane Bester
Verified on Linux using today's 5.0-bk.
Verified on Windows using 5.0.18.

General query log contained this:

--
Time                 Id Command    Argument
060223 18:43:06	      1 Connect     root@ as anonymous on 
		      1 Query       DROP DATABASE IF EXISTS bug17667
		      1 Query       CREATE DATABASE bug17667
		      1 Query       CREATE TABLE bug17667.t1(id INT)
		      1 Query       /*
		      1 Query       select * FROM bug17667.t1
		      1 Query       /*
		      1 Quit       
--

The real commands executed were:
mysql_query("DROP DATABASE IF EXISTS bug17667",$conn);
mysql_query("CREATE DATABASE bug17667",$conn);
mysql_query("CREATE TABLE bug17667.t1(id INT)",$conn);
mysql_query("/*".chr(0)."*/ INSERT INTO bug17667.t1(id) VALUES (1),(2),(3)",$conn);
$rs=mysql_query("select * FROM bug17667.t1",$conn);
$rs=mysql_query("/*".chr(0)."*/ SELECT * FROM bug17667.t1",$conn);

On a side note:  The binary log is not effected by this bug.
The binlog contained the correct insert statement:
/* */ INSERT INTO bug17667.t1(id) VALUES (1),(2),(3);
[30 Mar 2006 18:56] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/4337
[30 Mar 2006 22:10] Chad MILLER
Fix applies to 5.0.21 and 5.1.8 .

No longer allow NUL, ordinal zero, characters to be inside /*comments*/ .  The docs already say NUL characters are not allowed.
[3 Apr 2006 16:33] Lenz Grimmer
JFYI, This bug is tracked by the Mitre Common Vulnerabilities and Exposures list under the ID "CVE-2006-0903"

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903

Please make sure to mention this ID in the ChangeLog. Thanks!
[5 Apr 2006 20:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/4523
[5 Apr 2006 23:14] Christian Hammers
Can you provide a patch for 3.23, too? We still want to provide security fixes for our 'Debian 3.0 woody' release which had been shipped with 3.23.49 back then but this source has no ABORT_SYM and I can't figure out how to deal with input errors in sql/sql_lex.cc there.

bye,

-christian- <ch@debian.org>
[21 Apr 2006 13:22] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/5301
[2 May 2006 2:11] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/5774
[2 May 2006 3:29] Chad MILLER
Fixed in 5.0.22 and 5.1.10 .
[6 May 2006 17:37] Christian Hammers
Hello

I noticed that this bug is still not completely closed, the string CVE-2006-0903 (or CAN-2006-0903) does not appear anywhere in the current 4.1.19 source and there's no changeset notice regarding 3.23/4.0/4.1 in this report.

Has it been forgotten? At least 4.1 should be fixed, right?

bye,

-christian-
[10 May 2006 16:44] Paul Dubois
Noted in 5.0.22, 5.1.10 changelogs.

<emphasis role="bold">Security fix</emphasis>: A
<literal>NUL</literal> byte within a comment in a statement
string caused the rest of the string not to be written to the
query log, allowing logging to be bypassed.
(<ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903">CVE-2006-0903</ulink>)
[10 Jul 2006 20:38] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/9014
[12 Jul 2006 15:02] Peter O'Gorman
While the fix for this buf may have been committed prior to the 5.0.22 release, the patches are not part of the 5.0.22 tarball:
 peter$ curl -L -o mysql-5.0.22.tar.gz http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.22.tar.gz/from/http://ftp.iij.ad.jp...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18.6M  100 18.6M    0     0   609k      0  0:00:31  0:00:31 --:--:--  675k
 peter$ tar xzf mysql-5.0.22.tar.gz 
 peter$ grep -r memmem mysql-5.0.22/include/*
 peter$ grep 17667 mysql-5.0.22/tests/mysql_client_test.c
[7 Aug 2006 9:23] Magnus BlÄudd
I see there is a sleep in the testcase that is supposed to wait for the server to flush the logs. I will replace that with a "FLUSH LOGS" command.
[30 Dec 2008 10:18] setare khodadady
I tested this bug in mysql 5.1.17. and i see the same result as see in mysql 5.0.4
please verified this bug on mysql 5.1.x versions.
thanks khodadady