Bug #7187 MySQL crashes at old-hashed client authorization
Submitted: 10 Dec 2004 22:54 Modified: 11 Dec 2004 9:01
Reporter: Alexander Drozdov Email Updates:
Status: Closed Impact on me:
Category:MySQL Server Severity:S1 (Critical)
Version:4.1.7 OS:Any (all)
Assigned to: Sergei Golubchik CPU Architecture:Any

[10 Dec 2004 22:54] Alexander Drozdov
A. sql/sql_parce.cc:877:
  uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
    *passwd++ : strlen(passwd);

B. sql/sql_acl.cc:650:
        /* check password: it should be empty or valid */
        if (passwd_len == acl_user_tmp->salt_len)
          if (acl_user_tmp->salt_len == 0 ||
              (acl_user_tmp->salt_len == SCRAMBLE_LENGTH ?
              check_scramble(passwd, thd->scramble, acl_user_tmp->salt) :
              check_scramble_323(passwd, thd->scramble,
                                 (ulong *) acl_user_tmp->salt)) == 0)

C. sql/password.c:208 (check_scramble_323):
  char buff[16],*to,extra;                      /* Big enough for check */
  const char *pos;

  for (pos=scrambled ; *pos ; pos++)
    *to++=(char) (floor(my_rnd(&rand_st)*31)+64);

In A, if CLIENT_SECURE_CONNECTION is enabled and passwd[0]==SCRAMBLE_LENGTH_323, then check_scramble_323() will be called. But the password string may not be null-terminated in this case. Therefore, there will be buffer overflow in C.

Note that this affects only users which have old-hashed passwords. Attacker should know only a name of that user.

Sorry for my English, please.

How to repeat:
Create a user with old-style password. Apply this patch to libmysqlclient and run 'mysql --user=username --password=anyword':
diff -r mysql-4.1.7.orig/sql-common/client.c mysql-4.1.7/sql-common/client.c
<   char                buff[NAME_LEN+USERNAME_LENGTH+100];
>   char                buff[NAME_LEN+USERNAME_LENGTH+100+512];
<       *end++= SCRAMBLE_LENGTH;
<       scramble(end, mysql->scramble, passwd);
<       end+= SCRAMBLE_LENGTH;
>       *end++= SCRAMBLE_LENGTH_323;
>       memset(end,0xff,512);
>       end+=512;
> /*       *end++= SCRAMBLE_LENGTH; */
> /*       scramble(end, mysql->scramble, passwd); */
> /*       end+= SCRAMBLE_LENGTH; */

Suggested fix:
More strong checking of a client data is needed.
[11 Dec 2004 9:01] Sergei Golubchik
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at

Additional info:

fixed in 4.1.8