Application Security, Inc.
home client login partner login online store contact us
search:
Solutions Products Partners Support News & Events About Us

Team SHATTER Security Alert

MySQL: Buffer Overflow in User Defined Functions

Risk level: Low

Credits: This vulnerability was discovered and researched by Reid Borsuk of Application Security Inc.

Affected Versions:
ALL

Background:
User-defined functions in MySQL allow a user in the database to call binary libraries on the operating system. Creating a user-defined function requires insert privileges on the mysql.func table.

Details:
The init_syms() function uses an unsafe string function to copy a user specified string into a stack based buffer. Due to improper sanitation this buffer is able to be overflowed, overwriting portions of the stack. This allows an attacker to write 14 bytes of arbitrary data and 8 bytes of hard coded data beyond the end of the buffer.

The format of the CREATE FUNCTION statement is as follows:

CREATE FUNCTION function_name RETURNS type SONAME "library_name"

User specified input to the "function_name" field is limited to 64 characters. If this library can be successfully loaded by the operating system, control is then passed to init_syms(). This will attempt to copy the user string into a buffer 50 bytes in length. Hard coded strings are then copied onto the end of this string. In some older versions of MySQL this can be used to gain complete control over the EIP or copy attacker specified data to an arbitrary location.

One issue of concern is because this buffer is owned by the calling function, in an environment with a stack that grows upwards, it may be possible to overwrite the EIP return or other sensitive values.

Exploiting this vulnerability would require the ability to create user-defined functions. This is not typically granted to untrusted users, however given this vulnerability you should understand the ramifications of granting the ability to create user-defined functions.

Workaround:
Restrict access to create user-defined functions.

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched. These products can be found here: http://dev.mysql.com/downloads/
Contact Us | Privacy | Sitemap | Legal
sales@appsecinc.com | support@appsecinc.com 		Call us toll free at: 1-866-927-7732 | FAX: 1-212-947-8788
. Application Security, Inc. All Rights Reserved