=========================================================== Advanced Information Security Corporation Security Advisory =========================================================== a888b. d888888b. 8P"YP"Y88 8|o||o|88 8' - .88 8`._.' Y8. d/ `8b. dP . Y8b. d8:' " `::88b d8" 'Y88b :8P ' :888 8a. : _a88P ._/"Yaa_: .| 88P| \ YP" `| 8P `. / \.___.d| .' `--..__)888P`._.' ~ Keeping Things Simple! MySQL v5.6.24 BUFFER OVERFLOWS Date: 07/10/2015 Author: Nicholas Lemonias ============================================================ ======================== SUMMARY ========================= During a manual source code audit of MYSQL Version 5.6.24, various buffer overflow issues have been realized. =================== TECHNICAL DETAILS =================== root@priv8: ~# /usr/bin/mysql_plugin `perl -e 'print ?X? x 9000'` *** buffer overflow detected ***: mysql_plugin terminated ======= Backtrace: ========= /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3] /lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5] /lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a] /lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877] insecure call mysql_plugin(main+0x202)[0xb752ee22] /lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63] mysql_plugin(+0xa90d)[0xb752f90d] ======= Memory map: ======== b6800000-b6821000 nw-p 00000000 00:00 b6821000-b6900000 ---p 00000000 00 00 b699d000-b699e000 ---p 00000000 00:00 b699e000-b71a1000 rw-p 00000000 00 00 b71a1000-b7345000 r-xp 00000000 00:13 1673 /lib/i386-linux-gnu/i686/cmov/libc-2.1 9.50 b7345000-b7347000 r-?p 001a4000 00:13 1673 /lib/i386-linux~gnu/i686/cmov/libc-2.1 9.so b7347000-b7348000 rw-p 00la6000 00:13 1673 /lib/i386-linux-gnu/i686/cmov/libc-2.1 9.so b7348000-b734b000 rw-p 00000000 00 00 0 b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1 b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1 b7368000?b73ac000 r-xp 00000000 00:13 15649 /lib/i386-linux-gnu/1686/cmov/libm-2.1 9.so bffc9000-c0000000 pw-p 00000000 00:00 0 [stack] Program received signal SIGABRT, Aborted. Oxb7fdebe0 in __kernel_vsyscall () (gdb) bt #0 0xb7fdebe0 in __kernel_vsyscall () #1 0xb7caa307 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #2 0xb7cab9c3 in __GI_abort () at abort.c:89 #3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\n?) at ../sysdeps/posix/libc_fatal.c:175 #4 0xb7d762d5 in __GI___fortify_fail ( msg=msg@entry=0xb7ddbdd6 "buffer overflow detected?) at fortify_fail.c:31 #5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28 #6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>..., src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>) at strcpy_chk.c:60 #7 0x80009e22 in main () (gdb) (gdb) disas Dump of assembler code for function __kernel_vsyscall: 0xb7fdebd0 <+0>: push %ecx 0xb7fdebd1 <+1>: push %edx Oxb7fdebd2 <+2>: push %ebp Oxb7fdebd3 <+3>: mov %esp,%ebp 0xb7fdebd5 <+5>: sysenter Oxb7fdebd7 <+7>: nop Oxb7fdebd8 <+8>: nop 0xb7fdebd9 <+9>: nop Oxb7fdebda <+10>: nop Oxb7fdebdb <+11>: nop Oxb7fdebdc <+12>: nop Oxb7fdebdd <+13>: nop Oxb7fdebde <+14>: int x80 => Oxb7fdebe0 <+16>: pop %ebp Oxb7fdebe1 <+17>: pop %edx 0xb7fdebe2 <+18>: pop %ecx Oxb7fdebe3 <+19>: ret End of assembler dump. (gdb) ============================ TECHNICAL SYNOPSIS / POC #2 ============================ Unsafe Use of strcpy; this can lead to a buffer overflow condition -----> /lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877] A user-supplied string from the command-line is copied to a fixed length destination buffer. -----------------[ mysql_plugin.c]------------------------------- Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c strcpy(plugin_name, argv[i]); permission set: -rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin =============================================== MySQL V 5.6.24 VULNERABILITIES - SOURCE CODE =============================================== 1. Insecure use of sprintf Vulnerability Description: A char* type is copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c sprintf(efbuf, "MY_REG_%s", name); 2. Unsafe Use of strcpy could lead to an overflow condition. Vulnerability Description: A user-supplied string from the command-line is copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c strcpy(plugin_name, argv[i]); 3. Unsafe Use of strcpy could lead to an overflow condition. Vulnerability Description: A user-supplied string from the command-line is copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c strcpy(config_file, argv[i]); 4. Insecure use of sprintf. Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c sprintf(grump, "matched null at `%.20s'", p); 5. Insecure use of sprintf. Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c sprintf(grump, "matched `%.*s'", len, p); 6. Unsafe Use of strcpy could lead to an overflow condition. Vulnerability Description: A user-supplied string from the command-line is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 413 - Filename: ./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp strcpy(fileName, argv[1]); 7. Insecure use of sprintf. Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c sprintf(grump, "matched `%.*s' instead", len, p); 8. Insecure use of sprintf. Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c sprintf(query,"select count(*) from `%s`", table); 9. Insecure use of sprintf Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c sprintf(buf, "%s.conf", set); 10. Unsafe Use of strcpy could lead to an overflow condition. Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This could lead to a buffer overflow. Line: 784 - Filename: ./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp strcpy(path, src); 11. Unsafe Use of strcpy could lead to an overflow condition. Vulnerability Description: A char* type is being copied to a fixed length destination buffer. This, could lead to an overflow. Line: 377 - Filename: ./mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp strcpy(path, src); <<< Size of PATH is PATH_MAX 256