Bug #50974 Server keeps receiving big (> max_allowed_packet) packets indefinitely.
Submitted: 7 Feb 2010 23:32 Modified: 14 Oct 2010 14:11
Reporter: Andrew Dalgleish Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0 and up OS:Any
Assigned to: Davi Arnaut CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[7 Feb 2010 23:32] Andrew Dalgleish
Description:
Sent to security@ from Eric Day eday@oddments.org

Hi!

I'm working on a MySQL and Drizzle protocol testing tool, and while
testing various edge cases, I found that you can send an infinite
amount of data to mysqld process without being authenticated. This
means that any open port could be used for a DoS attack. No extra
memory is consumed, but there is significant CPU and bandwidth
consumption. This attack would be most effective on a LAN or within
the same data center, but it's possible to be used in a distributed
DoS if bandwidth and max connections are adequate.

It's easy to perform, you just send an infinite number of packets
of the maximum packet size after the server handshake packet, and
my_net_skip_rest (in sql/net_serv.cc) will gladly read as much data
as you have to give. The attached python script does just that, and
I've found it gets pipe errors on slower machines. I was able to send
over 60GB in one instance on my local network though.

In my opinion, the appropriate behavior is would be to set some maximum
limit to use in my_net_skip_rest and simply close the connection if
that is exceeded.

How to repeat:
See attached python script

Suggested fix:
In my opinion, the appropriate behavior is would be to set some maximum
limit to use in my_net_skip_rest and simply close the connection if
that is exceeded.
[8 Feb 2010 0:12] Andrew Dalgleish
Verified as described using
mysql-5.5.1-m2-linux-x86_64-glibc23.tar.gz

Doesn't seem exploitable, but sends mysqld to 90% CPU.
[8 Feb 2010 17:46] Andrew Dalgleish
Verified as described with
mysql-advanced-gpl-5.1.40sp1-linux-x86_64-glibc23.tar.gz
[8 Feb 2010 17:53] Andrew Dalgleish
Verified as described using
mysql-enterprise-gpl-5.0.84sp1-linux-x86_64-glibc23.tar.gz
[9 Feb 2010 18:36] Omer Barnir
triage: setting tag to SR51MRU, SR55RC (DoS vector - 5.0+ target)
[20 Apr 2010 0:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/106060

2858 Davi Arnaut	2010-04-19
      Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
      
      The server could be tricked to read packets indefinitely if it
      received a packet larger than the maximum size of one packet.
      This problem is aggravated by the fact that it can be triggered
      before authentication.
      
      The solution is to skip at least twice the maximum packet size.
      If the packet (or following packets) are larger then twice the
      maximum size, a error is returned and the connection is closed.
      Skipping is only performed for authenticated users.
     @ include/mysql_com.h
        Add skip factor. Only used in server builds.
     @ sql/net_serv.cc
        Control the amount of data that can be skipped.
        Similar behavior for client and server.
     @ tests/mysql_client_test.c
        Add test case.
[29 Apr 2010 13:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/106945

2860 Davi Arnaut	2010-04-29
      Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
      
      The server could be tricked to read packets indefinitely if it
      received a packet larger than the maximum size of one packet.
      This problem is aggravated by the fact that it can be triggered
      before authentication.
      
      The solution is to no skip big packets for non-authenticated
      sessions. If a big packet is sent before a session is authen-
      ticated, a error is returned and the connection is closed.
     @ include/mysql_com.h
        Add skip flag. Only used in server builds.
     @ sql/net_serv.cc
        Control whether big packets can be skipped.
[29 Apr 2010 23:20] Davi Arnaut
Queued to mysql-5.0-bugteam and up
[1 May 2010 13:47] Bugs System
Pushed into 5.0.91 (revid:joro@sun.com-20100501134604-ra243s5b389j6ttn) (version source revid:davi.arnaut@sun.com-20100429132816-ictyul6d75itek22) (merge vers: 5.0.91) (pib:16)
[5 May 2010 15:13] Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:davi.arnaut@sun.com-20100429231819-i3anwzrdasjmezvt) (merge vers: 5.1.47) (pib:16)
[7 May 2010 8:15] Lenz Grimmer
This is now tracked as CVE-2010-1849 on http://cve.mitre.org/
[11 May 2010 16:25] Paul Dubois
Noted in 5.0.91, 5.1.47 changelogs.

The server could be tricked into reading packets indefinitely if it
received a packet larger than the maximum size of one packet.
[20 May 2010 14:34] Davi Arnaut
Workaround: set connection_timeout. Its set to 10 by default.
[20 May 2010 14:36] Davi Arnaut
That is, connect_timeout.

http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_connect_timeout
[20 May 2010 19:21] James Day
Please note that if you have high security requirements for your server, you should ensure that you have appropriate firewalls in place to ensure that your server cannot be reached by potential attackers. Good practice also includes measures like having only internet-unroutable IP addresses allocated to the database server.
[28 May 2010 6:11] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (pib:16)
[28 May 2010 6:39] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[28 May 2010 7:07] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100507161755-e2lpi9tdulcm5njq) (merge vers: 5.5.5-m3) (pib:16)
[28 May 2010 21:46] Paul Dubois
Noted in 5.5.5, 6.0.14 changelogs.
[17 Jun 2010 12:16] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:04] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:44] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[6 Jul 2010 19:02] Paul Dubois
Noted in 5.1.46sp1 changelog.
[8 Jul 2010 18:53] Bugs System
Pushed into 5.1.49 (revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (version source revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (merge vers: 5.1.49) (pib:16)
[8 Jul 2010 19:15] Paul Dubois
Already fixed in 5.1.x.
[4 Aug 2010 7:53] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)
[4 Aug 2010 8:07] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:22] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:02] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[4 Aug 2010 16:46] Paul Dubois
Not present in any released 5.6.x version.
[14 Oct 2010 8:37] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:52] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:07] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 14:11] Jon Stephens
Already documented as noted above; setting back to Closed state.