Vulnerabilities > CVE-2002-1375
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response.
Vulnerable Configurations
Exploit-Db
| description | MySQL 3.23.x/4.0.x COM_CHANGE_USER Password Memory Corruption Vulnerability. CVE-2002-1375. Remote exploit for unix platform |
| id | EDB-ID:22085 |
| last seen | 2016-02-02 |
| modified | 2002-12-12 |
| published | 2002-12-12 |
| reporter | Stefan Esser |
| source | https://www.exploit-db.com/download/22085/ |
| title | MySQL 3.23.x/4.0.x COM_CHANGE_USER Password Memory Corruption Vulnerability |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2002-289.NASL description Updated packages are available for Red Hat Linux Advanced Server 2.1 that fix security vulnerabilities found in the MySQL server. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 MySQL is a multi-user, multi-threaded SQL database server. While auditing MySQL, Stefan Esser found security vulnerabilities that can be used to crash the server or allow MySQL users to gain privileges. A signed integer vulnerability in the COM_TABLE_DUMP package for MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, allows remote attackers to cause a denial of service (crash or hang) in mysqld by causing large negative integers to be provided to a memcpy call. (CVE-2002-1373) The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, allows a remote attacker to gain privileges via a brute-force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password. (CVE-2002-1374) The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, allows remote attackers to execute arbitrary code via a long response. (CVE-2002-1375) The MySQL client library (libmysqlclient) in MySQL 3.x to 3.23.53a, and 4.x to 4.0.5a, does not properly verify length fields for certain responses in the read_rows or read_one_row routines, which allows a malicious server to cause a denial of service and possibly execute arbitrary code. (CVE-2002-1376) Red Hat Linux Advanced Server 2.1 contains versions of MySQL that are vulnerable to these issues. All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.54a which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 12340 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12340 title RHEL 2.1 : mysql (RHSA-2002:289) NASL family Databases NASL id MYSQL_MULTIPLE_FLAWS.NASL description The remote host is running a version of MySQL older than 3.23.54 or 4.0.6. The remote version of this product contains several flaw that could allow an attacker to crash this service remotely. last seen 2020-06-01 modified 2020-06-02 plugin id 11192 published 2002-12-12 reporter This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/11192 title MySQL < 3.23.54 / 4.0.6 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-087.NASL description Two vulnerabilities were discovered in all versions of MySQL prior to 3.23.53a and 4.0.5a by Stefan Esser. The first can be used by any valid MySQL user to crash the MySQL server, the other allows anyone to bypass the MySQL password check or execute arbitrary code with the privilege of the user running mysqld. Another two vulnerabilities were found, one an arbitrary size heap overflow in the mysql client library and another that allows one to write last seen 2020-06-01 modified 2020-06-02 plugin id 13985 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13985 title Mandrake Linux Security Advisory : MySQL (MDKSA-2002:087) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-212.NASL description While performing an audit of MySQL e-matters found several problems : signed/unsigned problem in COM_TABLE_DUMP Two sizes were taken as signed integers from a request and then cast to unsigned integers without checking for negative numbers. Since the resulting numbers where used for a memcpy() operation this could lead to memory corruption.Password length handling in COM_CHANGE_USER When re-authenticating to a different user MySQL did not perform all checks that are performed on initial authentication. This created two problems : - it allowed for single-character password brute forcing (as was fixed in February 2000 for initial login) which could be used by a normal user to gain root privileges to the database - it was possible to overflow the password buffer and force the server to execute arbitrary code read_rows() overflow in libmysqlclient When processing the rows returned by a SQL server there was no check for overly large rows or terminating NUL characters. This can be used to exploit SQL clients if they connect to a compromised MySQL server.read_one_row() overflow in libmysqlclient When processing a row as returned by a SQL server the returned field sizes were not verified. This can be used to exploit SQL clients if they connect to a compromised MySQL server. For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2 and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato. last seen 2020-06-01 modified 2020-06-02 plugin id 15049 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15049 title Debian DSA-212-1 : mysql - multiple problems
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000555
- http://marc.info/?l=bugtraq&m=103971644013961&w=2
- http://marc.info/?l=bugtraq&m=104004857201968&w=2
- http://marc.info/?l=bugtraq&m=104005886114500&w=2
- http://security.e-matters.de/advisories/042002.html
- http://www.debian.org/security/2002/dsa-212
- http://www.linuxsecurity.com/advisories/engarde_advisory-2660.html
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:087
- http://www.novell.com/linux/security/advisories/2003_003_mysql.html
- http://www.redhat.com/support/errata/RHSA-2002-288.html
- http://www.redhat.com/support/errata/RHSA-2002-289.html
- http://www.redhat.com/support/errata/RHSA-2003-166.html
- http://www.securityfocus.com/advisories/5269
- http://www.securityfocus.com/bid/6375
- http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
- https://exchange.xforce.ibmcloud.com/vulnerabilities/10848