Bug #9148 Denial of Service
Submitted: 12 Mar 2005 18:54 Modified: 23 Jun 2005 2:31
Reporter: Luca Ercoli Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.XX/4.0.XX/5.0.XX OS:Microsoft Windows (Windows)
Assigned to: Reggie Burnett

[12 Mar 2005 18:54] Luca Ercoli
Description:
Package: MySQL Database Server for Windows
Version(s): 4.1.9 (Maybe also prior versions are vulnerable)
Vulnerability Type: Denial of Service

Vulnerability Description:
================

A vulnerability exist in the way application handle requests
containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN).
This flaw allows an authenticaded user with at least one of those
privileges on *.*:

- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT

to cause the service to fail.

How to repeat:
1- Create an user account:

(connected as 'root')

use mysql; 
INSERT INTO user (Host,User,Password) VALUES('%','customer',PASSWORD('customer'));

2- Grant to him one or more privileges reported above:

(connected as 'root')

GRANT CREATE TEMPORARY TABLES ON *.* TO 'customer'@'%';
flush privileges;

3- Connect to server using new account and 'use' the database 'LPT1':

(connected as 'customer')
use LPT1;
[12 Mar 2005 19:21] Godofredo Miguel Solorzano
Thank you for the bug report. I will back with the call stack from
latest BK source.
[12 Mar 2005 22:21] Godofredo Miguel Solorzano
I noticed that the crash happens on release servers i.e.: mysqld-nt.exe
and the debug server or return an error as database unknown or the
client hangs. Below the call stack of release server 4.1.11;

>	mysqld-nt.exe!_my_vsnprintf()  + 0x130	C
 	mysqld-nt.exe!net_printf()  + 0x92	C++
 	mysqld-nt.exe!mysql_change_db()  + 0x196	C++
 	mysqld-nt.exe!dispatch_command()  + 0xfb	C++
 	mysqld-nt.exe!do_command()  + 0xa7	C++
 	mysqld-nt.exe!_handle_one_connection()  + 0x1ed	C++
 	mysqld-nt.exe!_pthread_create()  + 0xcb	C
 	mysqld-nt.exe!__beginthread()  + 0xce	
 	ntdll.dll!7c9106eb() 	
 	kernel32.dll!7c80b50b() 	
 	ntdll.dll!7c9106eb() 	
 	kernel32.dll!7c8399f3()
[13 Mar 2005 15:50] Mike Hillyer
My own testing shows USE LPT1; and USE PRN; to be the only server
crashers. NUL, CON, COM1, and AUX do not crash the server, but actually
report the database successfully changed.
[26 Mar 2005 21:33] Sergei Golubchik
It's CAN-2005-0799
[6 May 2005 15:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/24584
[21 May 2005 17:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25161
[23 May 2005 19:43] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/25190
[23 May 2005 19:45] Reggie Burnett
Fixed in 4.1.13 and 5.0.7 trees
[1 Jun 2005 3:41] Paul Dubois
Noted in 4.1.13, 5.0.7 changelogs.
[16 Jun 2005 13:23] Carsten Segieth
The problem still exists using the "official" 5.0.7-beta binaries (reproducible on different WinXP Home machines). 
With 'bk changes' in a 5.0 tree the fixes can be seen (prior the clone for the 5.0.7 build was made), but in the ChangeLog shipped with the 5.0.7-beta package no reference to the fix could be found.
[21 Jun 2005 18:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/26261
[22 Jun 2005 15:37] Reggie Burnett
Fixed (again) in 4.1.13 and 5.0.8
[23 Jun 2005 2:31] Jon Stephens
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented in 4.1.13 and 5.0.8 changelogs; included ref to CAN-2005-0799; closed.