How-To-Repeat: MySQL 3.23.54a can be crased with a exploit for 3.23.53
am 21.01.2003 14:36:20 von Dennis KruytHow-To-Repeat:
Hi,
When I try the hoagie_mysql exploit from http://void.at/releases.html on
a 3.23.54a MySQL server (witch sould be safe) then i can crash the
database with this.
How did I do it?
I start hoagie_mysql with a valid db user (not root). Then press ctrl-c
(abort) and start the tool again. Now the tool has reported that the
attack has failed. But the MySQL db is restarted if i look in the error
log and some normal connectie to the database then will fail. I have
tried it on several server with success.
###
packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq connecting to
[localhost] as [qwerty] ... ok sending one byte requests with user
[root] ...
[CTRL-C]
packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq connecting to
[localhost] as [qwerty] ... ok sending one byte requests with user
[root] ... attack failed
### Mysql.err log:
030121 12:36:16 mysqld restarted
030121 12:36:17 InnoDB: Started
/opt/zx/mysql/libexec/mysqld: ready for connections
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this
binary or one of the libraries it was linked against is corrupt,
improperly built, or misconfigured. This error can also be caused by
malfunctioning hardware. We will try our best to scrape up some info
that will hopefully help diagnose the problem, but since we have already
crashed, something is definitely wrong and this may fail
key_buffer_size=3D16773120
record_buffer=3D131072
sort_buffer=3D524280
max_used_connections=3D0
max_connections=3D100
threads_connected=3D1
It is possible that mysqld could use up to
key_buffer_size + (record_buffer + sort_buffer)*max_connections =3D =
80379
K bytes of memory Hope that's ok, if not, decrease some variables in the
equation
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong... Stack range sanity check OK, backtrace follows:
0x80c46b4 0x40022f54 0x4014847a 0x40148074 0x829039e 0x829086d 0x80af85d
0x80c9c26 Stack trace seems successful - bottom reached Please read
http://www.mysql.com/doc/U/s/Using_stack_trace.html and follow
instructions on how to resolve the stack trace. Resolved stack trace is
much more helpful in diagnosing the problem, so please do resolve it
Trying to get some variables. Some pointers may be invalid and cause the
dump to abort...
thd->query at (nil) is invalid pointer
thd->thread_id=3D2
Successfully dumped variables, if you ran with --log, take a look at the
details of what thread 2 did to cause the crash. In some cases of
really bad corruption, the values shown above may be invalid
The manual page at http://www.mysql.com/doc/C/r/Crashing.html contains
information that should help you find out what is causing the crash
Number of processes running now: 0
030121 12:37:56 mysqld restarted
030121 12:37:57 InnoDB: Started
/opt/zx/mysql/libexec/mysqld: ready for connections
packages:~# mysqld --version
mysqld Ver 3.23.54 for pc-linux on i686
mysql> select * from db;
+--------------+--------+--------+-------------+------------ -+----------
---+-------------+-------------+-----------+------------+--- ------------
--+------------+------------+
| Host | Db | User | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Grant_priv |
References_priv | Index_priv | Alter_priv |
+--------------+--------+--------+-------------+------------ -+----------
---+-------------+-------------+-----------+------------+--- ------------
--+------------+------------+
| 192.168.1.76 | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
| localhost | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
| packages | qwerty | qwerty | Y | Y | Y
| Y | Y | Y | N | N |
Y | Y |
+--------------+--------+--------+-------------+------------ -+----------
---+-------------+-------------+-----------+------------+--- ------------
--+------------+------------+
3 rows in set (0.00 sec)
mysql> select * from user;
+--------------+--------+------------------+-------------+-- -----------+
-------------+-------------+-------------+-----------+------ -------+----
-----------+--------------+-----------+------------+-------- ---------+--
----------+------------+
| Host | User | Password | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv
| Index_priv | Alter_priv |
+--------------+--------+------------------+-------------+-- -----------+
-------------+-------------+-------------+-----------+------ -------+----
-----------+--------------+-----------+------------+-------- ---------+--
----------+------------+
| localhost | root | 5fcc735428e45938 | Y | Y |
Y | Y | Y | Y | Y | Y
| Y | Y | Y | Y | Y |
Y |
| packages | root | 5fcc735428e45938 | Y | Y |
Y | Y | Y | Y | Y | Y
| Y | Y | Y | Y | Y |
Y |
| 192.168.1.76 | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
| localhost | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
| packages | qwerty | 492dda525cdd081f | N | N |
N | N | N | N | N | N
| N | N | N | N | N |
N |
+--------------+--------+------------------+-------------+-- -----------+
-------------+-------------+-------------+-----------+------ -------+----
-----------+--------------+-----------+------------+-------- ---------+--
----------+------------+
5 rows in set (0.00 sec)
Ragards,
=20
Dennis Kruyt,
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread13543@lists.mysql.com
To unsubscribe, e-mail