Bug #37428 Potential security issue with UDFs - linux shellcode execution
Submitted: 16 Jun 2008 14:00 Modified: 8 Dec 2008 16:22
Reporter: Sergei Golubchik Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S1 (Critical)
Version:5.0, 4.1, 4.0 OS:Any
Assigned to: Alexey Botchkov
Triage: D1 (Critical)

[16 Jun 2008 14:00] Sergei Golubchik
Description:
Reported in gentoo bugzilla as https://bugs.gentoo.org/show_bug.cgi?id=220813

But in principle it's still the same old problem when one can load as udf something that is not a udf - in this particular case ssl2_enc from libssl2.

We added an additional check that, although not bullet-proof, was supposed to help in most cases (see "allow-suspicious-udfs" in the manual), but ssl2_enc bypasses it (there is ssl2_enc_init symbol in libssl2).

How to repeat:
see the attached proof-of-concept code

Suggested fix:
On 06/10/2008 08:20 PM, Robin H. Johnson wrote:

> In consultation with our Gentoo security folk, as a compromise for 5.0,
> could MySQL please add an option to disable the usage of any UDFs?
>
> Or backport the plugin_dir code, but make it default to using the
> existing LD path unless specifically configured?
>
> That increases security while also keeping compatibility.

and I think that the second option is a pretty nice way to add this missing bit of  protection while preserving backward compatibility.
[18 Jul 2008 13:17] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50037

2648 Alexey Botchkov	2008-07-18
      Bug#37428 Potential security issue with UDFs - linux shellcode execution.
      
      plugin_dir option backported from 5.1
[28 Jul 2008 15:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50592

2583 Alexey Botchkov	2008-07-28
      Bug#37428 Potential security issue with UDFs - linux shellcode execution.
            
            plugin_dir option backported from 5.1
      
      per-file messages:
        sql/mysql_priv.h
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          opt_plugin_dir and opt_plugin_dir_ptr declared.
        sql/mysqld.cc
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          'plugin_dir' option added
        sql/set_var.cc
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          'plugin_dir' option added.
        sql/sql_udf.cc
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          opt_plugin_dir added to the udf->dl path. Warn if it's not specified.
        sql/unireg.h
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          PLUGINDIR defined.
[28 Jul 2008 15:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50594

2583 Alexey Botchkov	2008-07-28
      Bug#37428 Potential security issue with UDFs - linux shellcode execution.
            
            plugin_dir option backported from 5.1
      
      per-file messages:
        sql/mysql_priv.h
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          opt_plugin_dir and opt_plugin_dir_ptr declared.
        sql/mysqld.cc
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          'plugin_dir' option added
        sql/set_var.cc
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          'plugin_dir' option added.
        sql/sql_udf.cc
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          opt_plugin_dir added to the udf->dl path. Warn if it's not specified.
        sql/unireg.h
          Bug#37428 Potential security issue with UDFs - linux shellcode execution.
          
          PLUGINDIR defined.
[30 Jul 2008 15:58] Alexey Botchkov
Pushed into 5.0.67-release tree
[31 Jul 2008 17:55] Paul Dubois
"
[24 Jul 14:57] Georgi Kodinov
...
2. Add an explicit comment on why the behavior of plugin_dir is different from the 5.1
code (5.0 backward compatibility when plugin_dir is not specified). We need this to be
made clear in the documentation as well.
"

What does "when plugin_dir is not specified" mean? That the value of plugin_dir is the empty string?
[5 Aug 2008 15:56] Paul Dubois
Noted in 5.0.67 changelog.

To enable stricter control over the location from which user-defined
functions can be loaded, the plugin_dir system variable has been
backported from MySQL 5.1. If the value is non-empty, user-defined 
function object files can be loaded only from the directory named by
this variable. If the value is empty, the behavior that is used
before 5.0.67 applies: The UDF object files must be located in a 
directory that is searched by your system's dynamic linker.

Setting report to Patch Queued pending push of fix into other 5.0.x trees.
[25 Aug 2008 12:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52437

2672 Sergey Glukhov	2008-08-25
      Bug#37428 Potential security issue with UDFs - linux shellcode execution.
      plugin_dir option backported from 5.1
[25 Aug 2008 12:24] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52440

2672 Sergey Glukhov	2008-08-25
      Bug#37428 Potential security issue with UDFs - linux shellcode execution.
      plugin_dir option backported from 5.1
[26 Aug 2008 18:34] Bugs System
Pushed into 5.0.70  (revid:gluh@mysql.com-20080825121159-14vsnim7cpox4281) (version source revid:davi.arnaut@sun.com-20080826182704-ikgad9sf3142e7x9) (pib:3)
[26 Aug 2008 19:17] Bugs System
Pushed into 5.1.28  (revid:gluh@mysql.com-20080825121159-14vsnim7cpox4281) (version source revid:davi.arnaut@sun.com-20080826183817-r22ie0hgagpcn6su) (pib:3)
[27 Aug 2008 1:50] Paul Dubois
Noted in 5.0.70 changelog.

5.0-only issue. Ignoring push into 5.1 or higher.
[14 Sep 2008 0:23] Bugs System
Pushed into 6.0.7-alpha  (revid:gluh@mysql.com-20080825121159-14vsnim7cpox4281) (version source revid:vvaintroub@mysql.com-20080804094710-jb2qpqxpf2ir2gf3) (pib:3)
[21 Nov 2008 17:07] Paul Dubois
Noted in 5.0.66sp1 changelog.
[3 Dec 2008 16:03] Domas Mituzas
this needs to be reapplied for 4.1 and 4.0 (one month of lifetime left!)
[4 Dec 2008 16:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/60627

2709 Georgi Kodinov	2008-12-04
      Backport of bug #37428 to 4.1
[4 Dec 2008 20:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/60654

2710 kent.boortz@sun.com	2008-12-04
      Backport of bug #37428 to 4.1
[8 Dec 2008 10:49] Georgi Kodinov
Pushed to 4.1.25
[8 Dec 2008 16:22] Paul Dubois
Noted in 4.1.25 changelog.
[16 Jan 2009 11:16] Bugs System
Pushed into 5.0.77 (revid:joerg@mysql.com-20090115110809-bnb54922hwgrv2hk) (version source revid:joerg@mysql.com-20090115104831-o8sb30ms6qc8s8je) (merge vers: 5.0.77) (pib:6)
[16 Jan 2009 11:20] Bugs System
Pushed into 5.1.32 (revid:joerg@mysql.com-20090115181125-29qdo615v9vkla0t) (version source revid:joerg@mysql.com-20090115181125-29qdo615v9vkla0t) (merge vers: 5.1.32) (pib:6)
[20 Jan 2009 18:54] Bugs System
Pushed into 6.0.10-alpha (revid:joro@sun.com-20090119171328-2hemf2ndc1dxl0et) (version source revid:timothy.smith@sun.com-20090116165151-xtp5e4z6qsmxyvy0) (merge vers: 6.0.10-alpha) (pib:6)
[17 Feb 2009 14:55] Bugs System
Pushed into 5.1.32-ndb-6.3.23 (revid:tomas.ulin@sun.com-20090217131017-6u8qz1edkjfiobef) (version source revid:tomas.ulin@sun.com-20090203133556-9rclp06ol19bmzs4) (merge vers: 5.1.32-ndb-6.3.22) (pib:6)
[17 Feb 2009 16:42] Bugs System
Pushed into 5.1.32-ndb-6.4.3 (revid:tomas.ulin@sun.com-20090217134419-5ha6xg4dpedrbmau) (version source revid:tomas.ulin@sun.com-20090203133556-9rclp06ol19bmzs4) (merge vers: 5.1.32-ndb-6.3.22) (pib:6)
[17 Feb 2009 18:19] Bugs System
Pushed into 5.1.32-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090217134216-5699eq74ws4oxa0j) (version source revid:tomas.ulin@sun.com-20090201210519-vehobc4sy3g9s38e) (merge vers: 5.1.32-ndb-6.2.17) (pib:6)
[6 May 2009 20:22] Bugs System
Pushed into 5.0.82 (revid:chad@mysql.com-20090506130632-s1cl4ygdj9rt2rrz) (version source revid:chad@mysql.com-20090506130632-s1cl4ygdj9rt2rrz) (merge vers: 5.0.82) (pib:6)
[28 May 2009 8:15] Bugs System
Pushed into 5.1.36 (revid:joro@sun.com-20090528073639-yohsb4q1jzg7ycws) (version source revid:jimw@mysql.com-20090515174051-ndjvfd1e9hc9k9c3) (merge vers: 5.1.36) (pib:6)
[17 Jun 2009 19:22] Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version source revid:joro@sun.com-20090515134506-5mq3a8fafgbkx6u1) (merge vers: 6.0.12-alpha) (pib:11)
[26 Aug 2009 13:45] Bugs System
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:32] Bugs System
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)