Vulnerabilities > CVE-2002-1374

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
symantec-veritas
nessus
exploit available

Summary

The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.

Vulnerable Configurations

Part Description Count
Application
Oracle
47
Application
Symantec_Veritas
15

Exploit-Db

descriptionMySQL 3.23.x/4.0.x COM_CHANGE_USER Password Length Account Compromise Vulnerability. CVE-2002-1374. Remote exploit for unix platform
idEDB-ID:22084
last seen2016-02-02
modified2002-12-16
published2002-12-16
reporterAndi
sourcehttps://www.exploit-db.com/download/22084/
titleMySQL 3.23.x/4.0.x COM_CHANGE_USER Password Length Account Compromise Vulnerability

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-289.NASL
    descriptionUpdated packages are available for Red Hat Linux Advanced Server 2.1 that fix security vulnerabilities found in the MySQL server. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 MySQL is a multi-user, multi-threaded SQL database server. While auditing MySQL, Stefan Esser found security vulnerabilities that can be used to crash the server or allow MySQL users to gain privileges. A signed integer vulnerability in the COM_TABLE_DUMP package for MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, allows remote attackers to cause a denial of service (crash or hang) in mysqld by causing large negative integers to be provided to a memcpy call. (CVE-2002-1373) The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, allows a remote attacker to gain privileges via a brute-force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password. (CVE-2002-1374) The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, allows remote attackers to execute arbitrary code via a long response. (CVE-2002-1375) The MySQL client library (libmysqlclient) in MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, does not properly verify length fields for certain responses in the read_rows or read_one_row routines, which allows a malicious server to cause a denial of service and possibly execute arbitrary code. (CVE-2002-1376) Red Hat Linux Advanced Server 2.1 contains versions of MySQL that are vulnerable to these issues. All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.54a which is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id12340
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12340
    titleRHEL 2.1 : mysql (RHSA-2002:289)
  • NASL familyDatabases
    NASL idMYSQL_MULTIPLE_FLAWS.NASL
    descriptionThe remote host is running a version of MySQL older than 3.23.54 or 4.0.6. The remote version of this product contains several flaw that could allow an attacker to crash this service remotely.
    last seen2020-06-01
    modified2020-06-02
    plugin id11192
    published2002-12-12
    reporterThis script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/11192
    titleMySQL < 3.23.54 / 4.0.6 Multiple Vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-087.NASL
    descriptionTwo vulnerabilities were discovered in all versions of MySQL prior to 3.23.53a and 4.0.5a by Stefan Esser. The first can be used by any valid MySQL user to crash the MySQL server, the other allows anyone to bypass the MySQL password check or execute arbitrary code with the privilege of the user running mysqld. Another two vulnerabilities were found, one an arbitrary size heap overflow in the mysql client library and another that allows one to write
    last seen2020-06-01
    modified2020-06-02
    plugin id13985
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13985
    titleMandrake Linux Security Advisory : MySQL (MDKSA-2002:087)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-212.NASL
    descriptionWhile performing an audit of MySQL e-matters found several problems : signed/unsigned problem in COM_TABLE_DUMP Two sizes were taken as signed integers from a request and then cast to unsigned integers without checking for negative numbers. Since the resulting numbers where used for a memcpy() operation this could lead to memory corruption.Password length handling in COM_CHANGE_USER When re-authenticating to a different user MySQL did not perform all checks that are performed on initial authentication. This created two problems : - it allowed for single-character password brute forcing (as was fixed in February 2000 for initial login) which could be used by a normal user to gain root privileges to the database - it was possible to overflow the password buffer and force the server to execute arbitrary code read_rows() overflow in libmysqlclient When processing the rows returned by a SQL server there was no check for overly large rows or terminating NUL characters. This can be used to exploit SQL clients if they connect to a compromised MySQL server.read_one_row() overflow in libmysqlclient When processing a row as returned by a SQL server the returned field sizes were not verified. This can be used to exploit SQL clients if they connect to a compromised MySQL server. For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2 and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato.
    last seen2020-06-01
    modified2020-06-02
    plugin id15049
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15049
    titleDebian DSA-212-1 : mysql - multiple problems

Redhat

advisories
  • rhsa
    idRHSA-2002:288
  • rhsa
    idRHSA-2002:289
  • rhsa
    idRHSA-2003:166