Vulnerabilities > CVE-2003-0073 - Unspecified vulnerability in Oracle Mysql

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

oracle

nessus

NVD

Published: 2003-02-19

Updated: 2019-10-07

Summary

Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Mysql 3.23.31 Oracle Mysql 3.23.36 Oracle Mysql 3.23.41 Oracle Mysql 3.23.47 Oracle Mysql 3.23.52 Oracle Mysql 3.23.53 Oracle Mysql 3.23.54 Oracle Mysql 3.23.54A	8

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2003-094.NASL
description	Updated packages are available that fix both a double-free security vulnerability and a remote root exploit security vulnerability found in the MySQL server. [Updated 11 Aug 2003] Updated mysqlclient9 packages are now included. These were previously missing from this erratum. MySQL is a multi-user, multi-threaded SQL database server. A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application. A remote root exploit vulnerability in mysqld, for MySQL before version 3.23.56, allows MySQL users to gain root privileges by overwriting configuration files. Previous versions of the MySQL packages do not contain the thread safe client library (libmysqlclient_r). All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.56.
last seen	2020-06-01
modified	2020-06-02
plugin id	12378
published	2004-07-06
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/12378
title	RHEL 2.1 : mysql (RHSA-2003:094)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:094. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12378); script_version ("1.22"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0073", "CVE-2003-0150"); script_xref(name:"RHSA", value:"2003:094"); script_name(english:"RHEL 2.1 : mysql (RHSA-2003:094)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated packages are available that fix both a double-free security vulnerability and a remote root exploit security vulnerability found in the MySQL server. [Updated 11 Aug 2003] Updated mysqlclient9 packages are now included. These were previously missing from this erratum. MySQL is a multi-user, multi-threaded SQL database server. A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application. A remote root exploit vulnerability in mysqld, for MySQL before version 3.23.56, allows MySQL users to gain root privileges by overwriting configuration files. Previous versions of the MySQL packages do not contain the thread safe client library (libmysqlclient_r). All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.56." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0073" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0150" ); # http://www.mysql.com/doc/en/News-3.23.55.html script_set_attribute( attribute:"see_also", value:"https://dev.mysql.com/doc/refman/4.1/en/news-3-23-55.html" ); # http://www.mysql.com/doc/en/News-3.23.56.html script_set_attribute( attribute:"see_also", value:"https://dev.mysql.com/doc/refman/4.1/en/news-3-23-56.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:094" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysqlclient9"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/02/19"); script_set_attribute(attribute:"patch_publication_date", value:"2003/08/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:094"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-3.23.56-1.72")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-devel-3.23.56-1.72")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-server-3.23.56-1.72")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysqlclient9-3.23.22-8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-devel / mysql-server / mysqlclient9"); } }

NASL family	Databases
NASL id	MYSQL_DOUBLE_FREE.NASL
description	According to its banner, a version of MySQL before 3.23.55 is running on the remote host. If you have not patched this version, then an attacker with valid credentials may be able to crash this service remotely by exploiting a double free bug. Further exploitation to gain a shell on the host might be possible, although it
last seen	2020-06-01
modified	2020-06-02
plugin id	11299
published	2003-03-01
reporter	This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/11299
title	MySQL < 3.23.55 mysql_change_user() Double-free Memory Pointer DoS
code	# # (C) Tenable Network Security, Inc. # # # Ref: http://www.mysql.com/doc/en/News-3.23.55.html # include("compat.inc"); if (description) { script_id(11299); script_version("1.30"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2003-0073"); script_bugtraq_id(6718); script_xref(name:"RHSA", value:"2003:093-01"); script_name(english:"MySQL < 3.23.55 mysql_change_user() Double-free Memory Pointer DoS"); script_summary(english:"Checks for the remote MySQL version"); script_set_attribute(attribute:"synopsis", value: "The remote database service is prone to a denial of service attack."); script_set_attribute(attribute:"description", value: "According to its banner, a version of MySQL before 3.23.55 is running on the remote host. If you have not patched this version, then an attacker with valid credentials may be able to crash this service remotely by exploiting a double free bug. Further exploitation to gain a shell on the host might be possible, although it's unconfirmed so far."); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL 3.23.55 or newer."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/01"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Databases"); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_ports("Services/mysql", 3306); script_require_keys("Settings/ParanoidReport"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("mysql_func.inc"); # nb: banner checks of open source software are prone to false- # positives so only run the check if reporting is paranoid. if (report_paranoia < 2) exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'."); port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE); if (mysql_init(port:port, exit_on_fail:TRUE) == 1) { version = mysql_get_version(); if ( strlen(version) && version =~ "^3\.(([0-9]\..\|(1[0-9]\..)\|(2[0-2]\..*))\|23\.([0-4][0-9]\|5[0-4])[^0-9])" ) { if (report_verbosity > 0) { report = '\nThe remote MySQL server\'s version is :\n\n '+version+'\n'; datadir = get_kb_item('mysql/' + port + '/datadir'); if (!empty_or_null(datadir)) { report += ' Data Dir : ' + datadir + '\n'; } databases = get_kb_item('mysql/' + port + '/databases'); if (!empty_or_null(databases)) { report += ' Databases :\n' + databases; } security_warning(port:port, extra:report); } else security_warning(port); } } mysql_close();

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-303.NASL
description	CAN-2003-0073: The mysql package contains a bug whereby dynamically allocated memory is freed more than once, which could be deliberately triggered by an attacker to cause a crash, resulting in a denial of service condition. In order to exploit this vulnerability, a valid username and password combination for access to the MySQL server is required. CAN-2003-0150: The mysql package contains a bug whereby a malicious user, granted certain permissions within mysql, could create a configuration file which would cause the mysql server to run as root, or any other user, rather than the mysql user.
last seen	2020-06-01
modified	2020-06-02
plugin id	15140
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15140
title	Debian DSA-303-1 : mysql - privilege escalation
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-303. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15140); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0073", "CVE-2003-0150"); script_bugtraq_id(7052); script_xref(name:"DSA", value:"303"); script_name(english:"Debian DSA-303-1 : mysql - privilege escalation"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "CAN-2003-0073: The mysql package contains a bug whereby dynamically allocated memory is freed more than once, which could be deliberately triggered by an attacker to cause a crash, resulting in a denial of service condition. In order to exploit this vulnerability, a valid username and password combination for access to the MySQL server is required. CAN-2003-0150: The mysql package contains a bug whereby a malicious user, granted certain permissions within mysql, could create a configuration file which would cause the mysql server to run as root, or any other user, rather than the mysql user." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-303" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody) both problems have been fixed in version 3.23.49-8.4. The old stable distribution (potato) is only affected by CAN-2003-0150, and this has been fixed in version 3.22.32-6.4. We recommend that you update your mysql package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"mysql-client", reference:"3.22.32-6.4")) flag++; if (deb_check(release:"2.2", prefix:"mysql-doc", reference:"3.22.32-6.4")) flag++; if (deb_check(release:"2.2", prefix:"mysql-server", reference:"3.22.32-6.4")) flag++; if (deb_check(release:"3.0", prefix:"libmysqlclient10", reference:"3.23.49-8.4")) flag++; if (deb_check(release:"3.0", prefix:"libmysqlclient10-dev", reference:"3.23.49-8.4")) flag++; if (deb_check(release:"3.0", prefix:"mysql-client", reference:"3.23.49-8.4")) flag++; if (deb_check(release:"3.0", prefix:"mysql-common", reference:"3.23.49-8.4")) flag++; if (deb_check(release:"3.0", prefix:"mysql-doc", reference:"3.23.49-8.4")) flag++; if (deb_check(release:"3.0", prefix:"mysql-server", reference:"3.23.49-8.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2003-013.NASL
description	Aleksander Adamowski informed MandrakeSoft that the MySQL developers fixed a DoS vulnerability in the recently released 3.23.55 version of MySQL. A double free() pointer bug in the mysql_change_user() handling would allow a specially hacked mysql client to crash the main mysqld server. This vulnerability can only be exploited by first logging in with a valid user account.
last seen	2020-06-01
modified	2020-06-02
plugin id	13998
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13998
title	Mandrake Linux Security Advisory : MYSQL (MDKSA-2003:013)

Oval

accepted

2010-09-20T04:00:25.288-04:00

class

vulnerability

contributors

name Jay Beale
organization Bastille Linux
name Jay Beale
organization Bastille Linux
name Thomas R. Jones
organization Maitreya Security
name Jonathan Baker
organization The MITRE Corporation

description

Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.

family

unix

oval:org.mitre.oval:def:436

status

accepted

submitted

2003-08-18T12:00:00.000-04:00

title

MYSQLd Double-free Vulnerability

version

Redhat

advisories

rhsa
id RHSA-2003:093
rhsa
id RHSA-2003:094
rhsa
id RHSA-2003:166

Summary

Vulnerable Configurations

Nessus

Oval

Redhat

References