Hi, When I try the hoagie_mysql exploit from http://void.at/releases.html on a 3.23.54a MySQL server (witch sould be safe) then i can crash the database with this.
How did I do it? I start hoagie_mysql with a valid db user (not root). Then press ctrl-c (abort) and start the tool again. Now the tool has reported that the attack has failed. But the MySQL db is restarted if i look in the error log and some normal connectie to the database then will fail. I have tried it on several server with success. ### packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq connecting to [localhost] as [qwerty] ... ok sending one byte requests with user [root] ... [CTRL-C] packages:/opt/pkgs# ./hoagie_mysql -u qwerty -p ytrewq connecting to [localhost] as [qwerty] ... ok sending one byte requests with user [root] ... attack failed ### Mysql.err log: 030121 12:36:16 mysqld restarted 030121 12:36:17 InnoDB: Started /opt/zx/mysql/libexec/mysqld: ready for connections mysqld got signal 11; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail key_buffer_size=16773120 record_buffer=131072 sort_buffer=524280 max_used_connections=0 max_connections=100 threads_connected=1 It is possible that mysqld could use up to key_buffer_size + (record_buffer + sort_buffer)*max_connections = 80379 K bytes of memory Hope that's ok, if not, decrease some variables in the equation Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... Stack range sanity check OK, backtrace follows: 0x80c46b4 0x40022f54 0x4014847a 0x40148074 0x829039e 0x829086d 0x80af85d 0x80c9c26 Stack trace seems successful - bottom reached Please read http://www.mysql.com/doc/U/s/Using_stack_trace.html and follow instructions on how to resolve the stack trace. Resolved stack trace is much more helpful in diagnosing the problem, so please do resolve it Trying to get some variables. Some pointers may be invalid and cause the dump to abort... thd->query at (nil) is invalid pointer thd->thread_id=2 Successfully dumped variables, if you ran with --log, take a look at the details of what thread 2 did to cause the crash. In some cases of really bad corruption, the values shown above may be invalid The manual page at http://www.mysql.com/doc/C/r/Crashing.html contains information that should help you find out what is causing the crash Number of processes running now: 0 030121 12:37:56 mysqld restarted 030121 12:37:57 InnoDB: Started /opt/zx/mysql/libexec/mysqld: ready for connections packages:~# mysqld --version mysqld Ver 3.23.54 for pc-linux on i686 mysql> select * from db; +--------------+--------+--------+-------------+-------------+---------- ---+-------------+-------------+-----------+------------+--------------- --+------------+------------+ | Host | Db | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Grant_priv | References_priv | Index_priv | Alter_priv | +--------------+--------+--------+-------------+-------------+---------- ---+-------------+-------------+-----------+------------+--------------- --+------------+------------+ | 192.168.1.76 | qwerty | qwerty | Y | Y | Y | Y | Y | Y | N | N | Y | Y | | localhost | qwerty | qwerty | Y | Y | Y | Y | Y | Y | N | N | Y | Y | | packages | qwerty | qwerty | Y | Y | Y | Y | Y | Y | N | N | Y | Y | +--------------+--------+--------+-------------+-------------+---------- ---+-------------+-------------+-----------+------------+--------------- --+------------+------------+ 3 rows in set (0.00 sec) mysql> select * from user; +--------------+--------+------------------+-------------+-------------+ -------------+-------------+-------------+-----------+-------------+---- -----------+--------------+-----------+------------+-----------------+-- ----------+------------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | +--------------+--------+------------------+-------------+-------------+ -------------+-------------+-------------+-----------+-------------+---- -----------+--------------+-----------+------------+-----------------+-- ----------+------------+ | localhost | root | 5fcc735428e45938 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | packages | root | 5fcc735428e45938 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | 192.168.1.76 | qwerty | 492dda525cdd081f | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | localhost | qwerty | 492dda525cdd081f | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | packages | qwerty | 492dda525cdd081f | N | N | N | N | N | N | N | N | N | N | N | N | N | N | +--------------+--------+------------------+-------------+-------------+ -------------+-------------+-------------+-----------+-------------+---- -----------+--------------+-----------+------------+-----------------+-- ----------+------------+ 5 rows in set (0.00 sec) Ragards, Dennis Kruyt, --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <mysql-unsubscribe-##L=##[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
