Bug #59453 Non-ASCIIZ string kills protocol extensibility in MySQL 5.5
Submitted: 12 Jan 2011 17:38 Modified: 29 Jan 2011 23:19
Reporter: Andrey Hristov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.5.x OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Triage: Triaged: D2 (Serious)

[12 Jan 2011 17:38] Andrey Hristov
Description:
MYSQL 5.5 adds the possibility for different authentication schemes next to the original MySQL authentication. The name of the authentication to be used by default is sent by the server in the first packet to the client. This string is _neither_ ASCIIZ _nor_ there is a length of the string embedded beforehand. The libmysql assumes that the name will be until the end of the packet. This limits the possibility to extend the initial packet because from now on everything till its end will be the name of the authentication.

This is a very serious protocol bug.

How to repeat:
      if (scramble_data + scramble_data_len > pkt_end)
        scramble_data_len= pkt_end - scramble_data;

this is from client.c

Suggested fix:
Nullterminate the string.
[12 Jan 2011 17:40] Andrey Hristov
Full excerpt:
    if (mysql->server_capabilities & CLIENT_PLUGIN_AUTH)
    {
      scramble_data_len= pkt_scramble_len;
      scramble_plugin= scramble_data + scramble_data_len;
      if (scramble_data + scramble_data_len > pkt_end)
        scramble_data_len= pkt_end - scramble_data;
    }
[14 Jan 2011 15:50] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128817

3247 Georgi Kodinov	2011-01-14
      Bug #59453: Non-ASCIIZ string kills protocol extensibility in MySQL 5.5
      
      When the server sends the name of the plugin it's using in the handshake 
      packet it was null terminating it in it's buffer, but was sending a length of 
      the packet 1 byte short.
      Fixed to send the terminating 0 as well by increasing the length of the 
      packet to include it. 
      In this way the handshake packet becomes similar to the change user packet
      where the plugin name is null terminated.
      No test suite added as the fix can only be observed by analyzing the bytes
      sent over the wire.
[24 Jan 2011 14:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129448

3272 Georgi Kodinov	2011-01-14
      Bug #59453: Non-ASCIIZ string kills protocol extensibility in MySQL 5.5
      
      When the server sends the name of the plugin it's using in the handshake 
      packet it was null terminating it in it's buffer, but was sending a length of 
      the packet 1 byte short.
      Fixed to send the terminating 0 as well by increasing the length of the 
      packet to include it. 
      In this way the handshake packet becomes similar to the change user packet
      where the plugin name is null terminated.
      No test suite added as the fix can only be observed by analyzing the bytes
      sent over the wire.
[24 Jan 2011 15:05] Bugs System
Pushed into mysql-5.5 5.5.10 (revid:georgi.kodinov@oracle.com-20110114154811-9uac3b7a9ra5ipv3) (version source revid:georgi.kodinov@oracle.com-20110114154811-9uac3b7a9ra5ipv3) (merge vers: 5.5.10) (pib:24)
[24 Jan 2011 15:06] Bugs System
Pushed into mysql-trunk 5.6.2 (revid:georgi.kodinov@oracle.com-20110124150524-iicwnfk7dd87w85q) (version source revid:georgi.kodinov@oracle.com-20110124150524-iicwnfk7dd87w85q) (merge vers: 5.6.2) (pib:24)
[24 Jan 2011 15:19] Paul Dubois
Noted in 5.5.10, 5.6.2 changelogs.

The server and client did not always properly negotiate
authentication plugin names.