Vulnerabilities > CVE-2004-0628 - Denial Of Service vulnerability in Mysql 4.1.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Databases NASL id MYSQL_4_1_3.NASL description The version of MySQL 4.1 installed on the remote host is earlier than 4.1.3. Such versions are reported affected by multiple vulnerabilities : - It is possible for a remote attacker to bypass the password authentication mechanism using a specially crafted packet with a zero-length scramble buff string. (CVE-2004-0627) - The server fails to check the length of a scrambled password used by the 4.1 authentication protocol and sent as part of a client authentication packet, which can result in a stack-based buffer overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 17691 published 2011-01-07 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17691 title MySQL 4.1 < 4.1.3 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17691); script_version("1.11"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id("CVE-2004-0627", "CVE-2004-0628", "CVE-2004-0628"); script_bugtraq_id(10654); script_xref(name:"CERT", value:"184030"); script_xref(name:"CERT", value:"645326"); script_xref(name:"EDB-ID", value:"311"); script_name(english:"MySQL 4.1 < 4.1.3 Multiple Vulnerabilities"); script_summary(english:"Checks version of MySQL 4.1 Server"); script_set_attribute( attribute:"synopsis", value:"The remote database service is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of MySQL 4.1 installed on the remote host is earlier than 4.1.3. Such versions are reported affected by multiple vulnerabilities : - It is possible for a remote attacker to bypass the password authentication mechanism using a specially crafted packet with a zero-length scramble buff string. (CVE-2004-0627) - The server fails to check the length of a scrambled password used by the 4.1 authentication protocol and sent as part of a client authentication packet, which can result in a stack-based buffer overflow." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jul/45" ); script_set_attribute( attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-1-3.html" ); script_set_attribute( attribute:"solution", value:"Upgrade to MySQL 4.1.3 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/01"); script_set_attribute(attribute:"patch_publication_date", value:"2004/06/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_ports("Services/mysql", 3306); script_require_keys("Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("mysql_func.inc"); # nb: banner checks of open source software are prone to false- # positives so only run the check if reporting is paranoid. if (report_paranoia < 2) exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'."); port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE); if (mysql_init(port:port, exit_on_fail:TRUE) == 1) { version = mysql_get_version(); mysql_close(); if (!strlen(version)) exit(1, "Failed to get the version of the MySQL service listening on port "+port+"."); if (version =~ "^4\.1\.[0-2]($|[^0-9])") { if (report_verbosity > 0) { report = '\n' + ' Installed version : ' + version + '\n' + ' Fixed version : 4.1.3\n'; datadir = get_kb_item('mysql/' + port + '/datadir'); if (!empty_or_null(datadir)) { report += ' Data Dir : ' + datadir + '\n'; } databases = get_kb_item('mysql/' + port + '/databases'); if (!empty_or_null(databases)) { report += ' Databases :\n' + databases; } security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, "MySQL version "+version+" is listening on port "+port+" and is not affected."); } else exit(1, "An error occurred when connecting to the MySQL server listening on port "+port+".");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E5E2883DCEB911D88898000D6111A684.NASL description By submitting a carefully crafted authentication packet, it is possible for an attacker to bypass password authentication in MySQL 4.1. Using a similar method, a stack buffer used in the authentication mechanism can be overflowed. last seen 2020-06-01 modified 2020-06-02 plugin id 19149 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19149 title FreeBSD : MySQL authentication bypass / buffer overflow (e5e2883d-ceb9-11d8-8898-000d6111a684) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19149); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-0627", "CVE-2004-0628"); script_xref(name:"CERT", value:"184030"); script_xref(name:"CERT", value:"645326"); script_xref(name:"Secunia", value:"12020"); script_name(english:"FreeBSD : MySQL authentication bypass / buffer overflow (e5e2883d-ceb9-11d8-8898-000d6111a684)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "By submitting a carefully crafted authentication packet, it is possible for an attacker to bypass password authentication in MySQL 4.1. Using a similar method, a stack buffer used in the authentication mechanism can be overflowed." ); script_set_attribute( attribute:"see_also", value:"http://www.nextgenss.com/advisories/mysql-authbypass.txt" ); # http://dev.mysql.com/doc/mysql/en/News-4.1.3.html script_set_attribute( attribute:"see_also", value:"https://dev.mysql.com/doc/mysql/en/News-4.1.3.html" ); # http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb4832d5" ); # https://vuxml.freebsd.org/freebsd/e5e2883d-ceb9-11d8-8898-000d6111a684.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cd5dd51d" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/01"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"mysql-server>=4.1<4.1.3")) flag++; if (pkg_test(save_report:TRUE, pkg:"mysql-server>=5<=5.0.0_2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");