Bug #50227 Pre-auth buffer-overflow in mySQL through yaSSL
Submitted: 11 Jan 2010 12:05 Modified: 12 Mar 2010 16:28
Reporter: Andrew Dalgleish Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0, 5.1, 5.5.99 OS:Any
Assigned to: Ramil Kalimullin
Tags: regression, Security
Triage: Triaged: D1 (Critical)

[11 Jan 2010 12:05] Andrew Dalgleish
Description:
zero-day exploit first widely publicized here:
http://www.intevydis.com/blog/?p=106

A proof-of-concept was sent to some MySQL staff on 2010-01-10

I've confirmed this works on several linux versions using YaSSL.
I have not yet tested against OpenSSL, or other operating systems.

I have not reproduced this on 5.0/5.1 yet, but intevydis claim it works.

I have not yet checked how similar this is to bug #33814

Vulnerable:
Ubuntu 9.10 32-bit
mysql-5.5.0-m2-linux-i686-glibc23.tar.gz

Centos 5.4 64-bit
mysql-5.5.0-m2-linux-x86_64-glibc23.tar.gz

How to repeat:
Install mysql server with SSL certificates.

Start the server, and attach GDB to the process.

Run the exploit:
./mysql_overflow1.py <ipaddress>

The main thread will generate a SIGSEGV and drop into GDB.
[12 Jan 2010 6:49] Sveta Smirnova
Not repeatable on Mac
[12 Jan 2010 7:10] Sveta Smirnova
Not repeatable with 4.1
[12 Jan 2010 8:30] Sveta Smirnova
Not repeatable with OpenSSL
[13 Jan 2010 5:03] Andrew Dalgleish
Not repeatable with the following:
mysql-5.5.1-m2-linux-x86_64-glibc23.tar.gz
mysql-5.5.1-m2-linux-x86_64-icc-glibc23.tar.gz
[13 Jan 2010 5:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/96697

2838 Ramil Kalimullin	2010-01-13
      Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL
      
      Problem: copying issuer's (or subject's) name tags into an internal
      buffer from incoming stream we didn't check the buffer overflow. 
      That may lead to memory overrun, crash etc.
      
      Fix: ensure we don't overrun the buffer.
      
      Note: there's no simple test case (exploit needed).
     @ extra/yassl/taocrypt/include/asn.hpp
        Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL
          - CertDecoder::AddTag() introduced.
     @ extra/yassl/taocrypt/src/asn.cpp
        Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL
          - copying data from incoming stream to the issuer_ or subject_
        buffers ensure we don't overrun them.
          - code cleanup.
[13 Jan 2010 9:17] Georgi Kodinov
OK to push. Please think of adding a test case.
[13 Jan 2010 9:40] Lenz Grimmer
Thanks a lot for the quick fix! Please remember to submit it to the YaSSL developers as well.
[13 Jan 2010 12:57] Lenz Grimmer
FYI: Intevydis confirmed that it's indeed CVE-2009-4484
[14 Jan 2010 8:26] Bugs System
Pushed into 5.0.90 (revid:joro@sun.com-20100114082402-05fod2h6z9x9wok8) (version source revid:ramil@mysql.com-20100113101142-pda4phrsyh1rjp85) (merge vers: 5.0.90) (pib:16)
[15 Jan 2010 8:59] Bugs System
Pushed into 5.1.43 (revid:joro@sun.com-20100115085139-qkh0i0fpohd9u9p5) (version source revid:martin.hansson@sun.com-20100113113806-5742ed1swr9rtb4b) (merge vers: 5.1.43) (pib:16)
[16 Jan 2010 2:46] Paul Dubois
Noted in 5.0.90, 5.1.43 changelogs.

For servers built with yaSSL, a preauthorization buffer overflow
could cause memory corruption or a server crash.  

Setting report to NDI pending push to 5.5.x+.
[20 Jan 2010 9:57] Sveta Smirnova
For reference:
repeatable with OpenSolaris with 5.1.42
One important thing - you must attach dbx or gdb to mysqld to see this bug
[5 Feb 2010 11:48] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100204063540-9czpdmpixi3iw2yb) (version source revid:alik@sun.com-20100119163614-172adculixyu26j5) (pib:16)
[5 Feb 2010 11:54] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100205113942-oqovjy0eoqbarn7i) (version source revid:alik@sun.com-20100204064210-ljwanqvrjs83s1gq) (merge vers: 6.0.14-alpha) (pib:16)
[5 Feb 2010 11:59] Bugs System
Pushed into 5.5.2-m2 (revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (version source revid:alexey.kopytov@sun.com-20100115112653-e3a24041ag1cv6v3) (merge vers: 5.5.1-m2) (pib:16)
[6 Feb 2010 1:16] Paul Dubois
Noted in 5.5.2, 6.0.14 changelogs.

Setting report to Need Merge pending push to Celosia.
[17 Feb 2010 16:29] Paul Dubois
Noted in 5.0.87sp1 changelog.
[12 Mar 2010 14:17] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:33] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:49] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[12 Mar 2010 16:15] Paul Dubois
Setting report to Need Merge pending push to Celosia.
[12 Mar 2010 16:28] Paul Dubois
Fixed in earlier 5.1.x, 5.5.x.