Vulnerabilities > CVE-2003-0780

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
mysql
oracle
conectiva
critical
nessus
exploit available

Summary

Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.

Exploit-Db

  • descriptionMySQL 3.23.x/4.0.x Password Handler Buffer Overflow Vulnerability. CVE-2003-0780. Dos exploit for linux platform
    idEDB-ID:23138
    last seen2016-02-02
    modified2003-09-10
    published2003-09-10
    reporterFrank DENIS
    sourcehttps://www.exploit-db.com/download/23138/
    titleMySQL 3.23.x/4.0.x Password Handler Buffer Overflow Vulnerability
  • descriptionMySQL 3.23.x/4.0.x Remote Exploit. CVE-2003-0780. Remote exploit for linux platform
    idEDB-ID:98
    last seen2016-01-31
    modified2003-09-14
    published2003-09-14
    reporterbkbll
    sourcehttps://www.exploit-db.com/download/98/
    titleMySQL 3.23.x/4.0.x - Remote Exploit

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-282.NASL
    descriptionUpdated MySQL server packages fix a buffer overflow vulnerability. MySQL is a multi-user, multi-threaded SQL database server. Frank Denis reported a bug in unpatched versions of MySQL prior to version 3.23.58. Passwords for MySQL users are stored in the Password field of the user table. Under this bug, a Password field with a value greater than 16 characters can cause a buffer overflow. It may be possible for an attacker with the ability to modify the user table to exploit this buffer overflow to execute arbitrary code as the MySQL user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0780 to this issue. Users of MySQL are advised to upgrade to these erratum packages containing MySQL 3.23.58, which is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id15652
    published2004-11-10
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15652
    titleRHEL 2.1 : mysql (RHSA-2003:282)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:282. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15652);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-0780");
      script_xref(name:"RHSA", value:"2003:282");
    
      script_name(english:"RHEL 2.1 : mysql (RHSA-2003:282)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated MySQL server packages fix a buffer overflow vulnerability.
    
    MySQL is a multi-user, multi-threaded SQL database server.
    
    Frank Denis reported a bug in unpatched versions of MySQL prior to
    version 3.23.58. Passwords for MySQL users are stored in the Password
    field of the user table. Under this bug, a Password field with a value
    greater than 16 characters can cause a buffer overflow. It may be
    possible for an attacker with the ability to modify the user table to
    exploit this buffer overflow to execute arbitrary code as the MySQL
    user. The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2003-0780 to this issue.
    
    Users of MySQL are advised to upgrade to these erratum packages
    containing MySQL 3.23.58, which is not vulnerable to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0780"
      );
      # http://www.mysql.com/doc/en/News-3.23.58.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://dev.mysql.com/doc/refman/4.1/en/news-3-23-58.html"
      );
      # http://www.mysql.com/doc/en/News-3.23.57.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://dev.mysql.com/doc/refman/4.1/en/news-3-23-57.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:282"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected mysql, mysql-devel and / or mysql-server packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/10/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:282";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-3.23.58-1.72")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-devel-3.23.58-1.72")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-server-3.23.58-1.72")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-devel / mysql-server");
      }
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-094.NASL
    descriptionA buffer overflow was discovered in MySQL that could be executed by any user with
    last seen2020-06-01
    modified2020-06-02
    plugin id14076
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14076
    titleMandrake Linux Security Advisory : MySQL (MDKSA-2003:094)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:094. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14076);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2003-0780");
      script_xref(name:"MDKSA", value:"2003:094");
    
      script_name(english:"Mandrake Linux Security Advisory : MySQL (MDKSA-2003:094)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A buffer overflow was discovered in MySQL that could be executed by
    any user with 'ALTER TABLE' privileges on the 'mysql' database. If
    successfully exploited, the attacker could execute arbitrary code with
    the privileges of the user running the mysqld process (mysqld). The
    'mysql' database is used by MySQL for internal record keeping and by
    default only the 'root' user, or MySQL administrative account, has
    permission to alter its tables.
    
    This vulnerability was corrected in MySQL 4.0.15 and all previous
    versions are vulnerable. These packages have been patched to correct
    the problem."
      );
      # http://web.archive.org/web/20050308183850/http://lists.netsys.com:80/pipermail/full-disclosure/2003-September/009819.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6e5ad47e"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:MySQL");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:MySQL-Max");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:MySQL-bench");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:MySQL-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:MySQL-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql10");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql10-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql12");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmysql12-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/09/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"MySQL-3.23.47-5.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"MySQL-bench-3.23.47-5.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"MySQL-client-3.23.47-5.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libmysql10-3.23.47-5.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libmysql10-devel-3.23.47-5.5mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"MySQL-3.23.56-1.4mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"MySQL-Max-3.23.56-1.4mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"MySQL-bench-3.23.56-1.4mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"MySQL-client-3.23.56-1.4mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libmysql10-3.23.56-1.4mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libmysql10-devel-3.23.56-1.4mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"MySQL-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"MySQL-Max-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"MySQL-bench-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"MySQL-client-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"MySQL-common-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libmysql12-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libmysql12-devel-4.0.11a-5.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-381.NASL
    descriptionMySQL, a popular relational database system, contains a buffer overflow condition which could be exploited by a user who has permission to execute
    last seen2020-06-01
    modified2020-06-02
    plugin id15218
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15218
    titleDebian DSA-381-1 : mysql - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-381. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15218);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0780");
      script_bugtraq_id(8590);
      script_xref(name:"DSA", value:"381");
    
      script_name(english:"Debian DSA-381-1 : mysql - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "MySQL, a popular relational database system, contains a buffer
    overflow condition which could be exploited by a user who has
    permission to execute 'ALTER TABLE' commands on the tables in the
    'mysql' database. If successfully exploited, this vulnerability could
    allow the attacker to execute arbitrary code with the privileges of
    the mysqld process (by default, user 'mysql'). Since the 'mysql'
    database is used for MySQL's internal record keeping, by default the
    mysql administrator 'root' is the only user with permission to alter
    its tables."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=210403"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/210403"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-381"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the stable distribution (woody) this problem has been fixed in
    version 3.23.49-8.5.
    
    We recommend that you update your mysql package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"libmysqlclient10", reference:"3.23.49-8.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libmysqlclient10-dev", reference:"3.23.49-8.5")) flag++;
    if (deb_check(release:"3.0", prefix:"mysql-client", reference:"3.23.49-8.5")) flag++;
    if (deb_check(release:"3.0", prefix:"mysql-common", reference:"3.23.49-8.5")) flag++;
    if (deb_check(release:"3.0", prefix:"mysql-doc", reference:"3.23.49-8.5")) flag++;
    if (deb_check(release:"3.0", prefix:"mysql-server", reference:"3.23.49-8.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDatabases
    NASL idMYSQL_PASSWORD_OVERFLOW.NASL
    descriptionAccording to its banner, the version of MySQL installed on the remote host fails to validate the length of a user-supplied password in the
    last seen2020-06-01
    modified2020-06-02
    plugin id11842
    published2003-09-19
    reporterThis script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/11842
    titleMySQL sql_acl.cc get_salt_from_password Function Password Handling Remote Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    #
    # Ref:
    #  From: Jedi/Sector One <[email protected]>
    #  To: [email protected]
    #  Subject: Buffer overflow in MySQL
    #  Message-ID: <[email protected]>
    #
    
    include("compat.inc");
    
    if (description)
    {
     
     script_id(11842);  
     script_version("1.32");
     script_cvs_date("Date: 2018/11/15 20:50:21");
    
     script_cve_id("CVE-2003-0780");
     script_bugtraq_id(8590);
     script_xref(name:"RHSA", value:"2003:281-01");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:042");
     
     script_name(english:"MySQL sql_acl.cc get_salt_from_password Function Password Handling Remote Overflow");
     script_summary(english:"Checks for the remote MySQL version");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote database server is susceptible to a buffer overflow attack.");
     script_set_attribute(attribute:"description", value:
    "According to its banner, the version of MySQL installed on the remote
    host fails to validate the length of a user-supplied password in the
    'User' table in the 'get_salt_from_password()' function.  Using a
    specially crafted value for a new password, an authenticated attacker
    with the 'ALTER DATABASE' privilege may be able to leverage this issue
    to trigger a buffer overflow and execute arbitrary code subject to the
    privileges under which the database service runs.");
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2003/Sep/413");
     script_set_attribute(attribute:"see_also", value:"https://lists.mysql.com/announce/168");
     script_set_attribute(attribute:"see_also", value:"https://lists.mysql.com/announce/169");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL 3.23.58 / 4.0.15 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/09/19");
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/11");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql");
     script_end_attributes();
     
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
     script_family(english:"Databases");
    
     script_dependencies("mysql_version.nasl", "mysql_login.nasl");
     script_require_ports("Services/mysql", 3306);
     script_require_keys("Settings/ParanoidReport");
    
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("mysql_func.inc");
    
    
    # nb: banner checks of open source software are prone to false-
    #     positives so only run the check if reporting is paranoid.
    if (report_paranoia < 2)
      exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'.");
    
    port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE);
    
    if (mysql_init(port:port, exit_on_fail:TRUE) == 1)
    {
      version = mysql_get_version();
    
      if (
        strlen(version) &&
        version =~ "^3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-4][0-9]|5[0-7])[^0-9])"
      )
      {
        if (report_verbosity > 0)
        {
          report = '\nThe remote MySQL server\'s version is :\n\n  '+version+'\n';
          datadir = get_kb_item('mysql/' + port + '/datadir');
          if (!empty_or_null(datadir))
          {
            report += '  Data Dir          : ' + datadir + '\n';
          }
          databases = get_kb_item('mysql/' + port + '/databases');
          if (!empty_or_null(databases))
          { 
            report += '  Databases         :\n' + databases;
          }
          security_hole(port:port, extra:report);
        }
        else security_hole(port);
      }
    }
    mysql_close();
    

Redhat

advisories
  • rhsa
    idRHSA-2003:281
  • rhsa
    idRHSA-2003:282