2002-2005 K-OTiK Security
2002-2005 K-OTiK Security © Research and Monitoring Team 24/24 & 7/7 ---------------------------------------------------------------------- -- 11 Mar. 2005 #1 -- ---------------------------------------------------------------------- - Mysql 4.x "CREATE FUNCTION" Arbitrary Code Execution Exploit ## Mysql CREATE FUNCTION libc arbitrary code execution ## ## Vulnerable: Mysql <= 4.0.23, 4.1.10 ## ## KOTIK/ADV-2005-0252 Exploit - http://www.k-otik.com/exploits/20050310.mysqllibc.php Advisory - http://www.k-otik.com/english/advisories/2005/0252 - Mysql 4.x "CREATE FUNCTION" Arbitrary Library Injection Exploit ## Mysql CREATE FUNCTION func table arbitrary library injection ## ## Vulnerable: Mysql <= 4.0.23, 4.1.10 ## ## KOTIK/ADV-2005-0252 Exploit - http://www.k-otik.com/exploits/20050310.mysqlcreate.php ---------------------------------------------------------------------- RSS / XML : http://www.k-otik.com/exploits.xml ---------------------------------------------------------------------- Copyright © 2002-2005 K-OTiK Security ----------------------------------------------------------------------
Mysql please verify and advise.
4.0.24 is not noted as vulnerable. As 4.0.24 is tagged in MySQL's BK tree (and will be released soon my sources say), does anybody know if it has been tested for being vulnerable even?
4.0.24 is noted as the solution. which answers the question I think :)
one extra reason to go 4.0.24 http://secunia.com/advisories/14547/ it's the same reporter with one extra exploitation vector
4.0.24 is out. Robin please provide an updated ebuild.
The authors page at http://www.k-otik.com/english/advisories/2005/0252 has 3 vulnerabilties. The other page at http://secunia.com/advisories/14547/ has only 2 vulnerabilties Which I find strange. Upstream has released 4.1.10a, but they don't seem to have 4.0.24 out yet when I checked a moment ago. I'd expect it to be released in a matter of hours. It fixes a lot of problems with 4.0.2[23], and it's been a long time in coming. I'm just heading to bed now.
*** Bug 84859 has been marked as a duplicate of this bug. ***
*** Bug 84924 has been marked as a duplicate of this bug. ***
4.0.24 has been released http://dev.mysql.com/downloads/mysql/4.0.html
as 4.0.24 and 4.1.10a have been released, is there any schedule for those versions to hit the portage tree?!
I'm busy testing 4.0.24 now, I should get it out to ~arch in a few hours.
Ok, 4.0.24-r0 and 4.0.24-r1 are in the tree now as ~arch. 4.0.24-r0 is based strictly off 4.0.23 (with the addition of a src_test function). 4.0.24-r1 implements a number of modifications that upstream has requested and have been under development until now (the discussion is in bug #44592), as well as implementing a USE=minimal mode for MySQL. I only expect arches to stabilize 4.0.24-r0 at this point (and let -r1 go thru the normal month of testing). To test the ebuilds: USE="berkdb ssl perl readline ssl tcpd" FEATURES="test" emerge =dev-db/mysql-4.0.24 MySQL-4.1 has not ever been out of p.mask yet, and still doesn't work on my testing machine. I've got a user helping me out with it, and I'll try and see that we get 4.1.10a into the tree within the next 2 weeks (I don't have time to do it sooner, as I've got exams next week).
Thx Robin. Arches please test and mark stable.
Stable on ppc.
compiled fine, tests finished successfull but i got an access violation on amd64: ------------------------------------------ Ending Tests Shutting-down MySQL daemon Master shutdown finished Slave shutdown finished All 209 tests were successful. --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-dev-db_-_mysql-4.0.24-9374.log" open_wr: /this-dir-does-not-exist/t9.MYI --------------------------------------------------------------------------------
same access violation on ppc64. if I leave out FEATURES="test" the ebuild installs smooth and mysqld runs. Not marked stable on ppc64 yet.
Please do at least minimal testing BEFORE marking stable. See Bug 85095 - the init script is just totally broken.
Jakub Moc: we are about to mark mysql-4.0.24 stable not mysql-4.0.24-r1. That init script works, does it? (for me it does!)
So does it for me. I did some small tests and they were successful.
Stable on SPARC.
Re the tests and sandbox violation of '/this-dir-does-not-exist/t9.MYI' I've looked at the test sources, and added an addpredict entry into the ebuilds for it.
Markus: Oh, sorry. :/ I just tried to emerge latest unstable 4.0.x and did not notice that it was not the right version to become stable now.
works now, stable on amd64
stable on ppc64 Jakub: ^_^
Stable on mips.
Stable on hppa.
Stable on alpha.
x86 done, after a lot more testing to be sure :-).
GLSA 200503-19 arm, ia64, s390 please remember to mark stable to benifit from the GLSA.
when will 4.1 be in portage so that we can use the new gui's...the good old mysqlcc is marked as depreciated by upstream...gentoo really needs to catch up!
Wow... that had absolutely nothing to do with this bug... I think James gets today's award for off-topic post to a bug report...