MySQL 3.23.54a can be crased with a exploit for 3.23.53
am 21.01.2003 14:32:13 von Dennis KruytHi,
When I try the hoagie_mysql exploit from http://void.at/releases.html
on a 3.23.54a MySQL server (witch sould be safe) then i can crash the
database with this.
How did I do it?
I start hoagie_mysql with a valid db user (not root). Then press ctrl-c
(abort) and start the tool again. Now the tool has reported that the
attack has failed. But the MySQL db is restarted if i look in the error
log and some normal connectie to the database then will fail. I have
tried it on several server with success.
###
packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq
connecting to [localhost] as [qwerty] ... ok
sending one byte requests with user [root] ...
[CTRL-C]
packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq
connecting to [localhost] as [qwerty] ... ok
sending one byte requests with user [root] ...
attack failed
### Mysql.err log:
030121 12:36:16 mysqld restarted
030121 12:36:17 InnoDB: Started
/opt/zx/mysql/libexec/mysqld: ready for connections
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this
binary
or one of the libraries it was linked against is corrupt, improperly
built,
or misconfigured. This error can also be caused by malfunctioning
hardware.
We will try our best to scrape up some info that will hopefully help
diagnose
the problem, but since we have already crashed, something is definitely
wrong
and this may fail
key_buffer_size=3D16773120
record_buffer=3D131072
sort_buffer=3D524280
max_used_connections=3D0
max_connections=3D100
threads_connected=3D1
It is possible that mysqld could use up to
key_buffer_size + (record_buffer + sort_buffer)*max_connections =3D =
80379
K
bytes of memory
Hope that's ok, if not, decrease some variables in the equation
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Stack range sanity check OK, backtrace follows:
0x80c46b4
0x40022f54
0x4014847a
0x40148074
0x829039e
0x829086d
0x80af85d
0x80c9c26
Stack trace seems successful - bottom reached
Please read http://www.mysql.com/doc/U/s/Using_stack_trace.html and
follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at (nil) is invalid pointer
thd->thread_id=3D2
Successfully dumped variables, if you ran with --log, take a look at the
details of what thread 2 did to cause the crash. In some cases of
really
bad corruption, the values shown above may be invalid
The manual page at http://www.mysql.com/doc/C/r/Crashing.html contains
information that should help you find out what is causing the crash
Number of processes running now: 0
030121 12:37:56 mysqld restarted
030121 12:37:57 InnoDB: Started
/opt/zx/mysql/libexec/mysqld: ready for connections
packages:~# mysqld --version
mysqld Ver 3.23.54 for pc-linux on i686
mysql> select * from db;
+--------------+--------+--------+-------------+------------ -+----------
---+-------------+-------------+-----------+------------+--- ------------
--+------------+------------+
| Host | Db | User | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Grant_priv |
References_priv | Index_priv | Alter_priv |
+--------------+--------+--------+-------------+------------ -+----------
---+-------------+-------------+-----------+------------+--- ------------
--+------------+------------+
| 192.168.1.76 | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
| localhost | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
| packages | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
+--------------+--------+--------+-------------+------------ -+----------
---+-------------+-------------+-----------+------------+--- ------------
--+------------+------------+
3 rows in set (0.00 sec)
mysql> select * from user;
+--------------+--------+------------------+-------------+-- -----------+
-------------+-------------+-------------+-----------+------ -------+----
-----------+--------------+-----------+------------+-------- ---------+--
----------+------------+
| Host | User | Password | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv
| Index_priv | Alter_priv |
+--------------+--------+------------------+-------------+-- -----------+
-------------+-------------+-------------+-----------+------ -------+----
-----------+--------------+-----------+------------+-------- ---------+--
----------+------------+
| localhost | root | 5fcc735428e45938 | Y | Y |
Y | Y | Y | Y | Y | Y
| Y | Y | Y | Y | Y |
Y |
| packages | root | 5fcc735428e45938 | Y | Y |
Y | Y | Y | Y | Y | Y
| Y | Y | Y | Y | Y |
Y |
| 192.168.1.76 | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
| localhost | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
| packages | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
+--------------+--------+------------------+-------------+-- -----------+
-------------+-------------+-------------+-----------+------ -------+----
-----------+--------------+-----------+------------+-------- ---------+--
----------+------------+
5 rows in set (0.00 sec)
Ragards,
=20
Dennis Kruyt,
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail
To unsubscribe, e-mail
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php