Vulnerabilities > CVE-2005-2558 - Buffer Overflow vulnerability in MySQL User-Defined Function
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in the init_syms function in MySQL 4.0 before 4.0.25, 4.1 before 4.1.13, and 5.0 before 5.0.7-beta allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-831.NASL description A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3 last seen 2020-06-01 modified 2020-06-02 plugin id 19800 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19800 title Debian DSA-831-1 : mysql-dfsg - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-831. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19800); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2558"); script_bugtraq_id(14509); script_xref(name:"DSA", value:"831"); script_name(english:"Debian DSA-831-1 : mysql-dfsg - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-831" ); script_set_attribute(attribute:"solution", value:"Upgrade the mysql-dfsg packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql-dfsg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libmysqlclient12", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libmysqlclient12-dev", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"mysql-client", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"mysql-common", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"mysql-server", reference:"4.0.24-10sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-829.NASL description A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3 last seen 2020-06-01 modified 2020-06-02 plugin id 19798 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19798 title Debian DSA-829-1 : mysql - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-829. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19798); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2558"); script_bugtraq_id(14509); script_xref(name:"DSA", value:"829"); script_name(english:"Debian DSA-829-1 : mysql - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-829" ); script_set_attribute(attribute:"solution", value:"Upgrade the mysql packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libmysqlclient10", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"libmysqlclient10-dev", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"mysql-client", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"mysql-common", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"mysql-doc", reference:"3.23.49-8.5")) flag++; if (deb_check(release:"3.0", prefix:"mysql-server", reference:"3.23.49-8.14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-180-1.NASL description AppSecInc Team SHATTER discovered a buffer overflow in the last seen 2020-06-01 modified 2020-06-02 plugin id 20591 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20591 title Ubuntu 4.10 / 5.04 : mysql-dfsg vulnerability (USN-180-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-180-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20591); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-2558"); script_xref(name:"USN", value:"180-1"); script_name(english:"Ubuntu 4.10 / 5.04 : mysql-dfsg vulnerability (USN-180-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "AppSecInc Team SHATTER discovered a buffer overflow in the 'CREATE FUNCTION' statement. By specifying a specially crafted long function name, a local or remote attacker with function creation privileges could crash the server or execute arbitrary code with server privileges. However, the right to create function is usually not granted to untrusted users. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient12-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"libmysqlclient-dev", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libmysqlclient12", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"mysql-client", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"mysql-common", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"mysql-server", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"libmysqlclient12", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"libmysqlclient12-dev", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"mysql-client", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"mysql-common", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"mysql-server", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmysqlclient-dev / libmysqlclient12 / libmysqlclient12-dev / etc"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-833.NASL description This update only covers binary packages for the big endian MIPS architecture that was mysteriously forgotten in the earlier update. For completeness below is the original advisory text : A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix explains which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3 last seen 2020-06-01 modified 2020-06-02 plugin id 19802 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19802 title Debian DSA-833-2 : mysql-dfsg-4.1 - buffer overflow NASL family Databases NASL id MYSQL_INIT_SYMS_BUFFER_OVERFLOW.NASL description According to its version number, the installation of MySQL on the remote host is potentially affected by two flaws : - A buffer overflow can be triggered when copying the name of a user-defined function into a stack-based buffer. With sufficient access to create a user-defined function, an attacker may be able to exploit this and execute arbitrary code within the context of the affected database server process. (CVE-2005-2558) - The mysql_create_function is not fully protected against directory traversal attacks. On Windows, arbitrary files can be included by using backslash characters. (CVE-2005-2573) last seen 2020-06-01 modified 2020-06-02 plugin id 19416 published 2005-08-10 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19416 title MySQL < 4.0.25 / 4.1.13 / 5.0.7 Multiple Vulnerabilies NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-163.NASL description A stack-based buffer overflow was discovered in the init_syms function in MySQL that allows authenticated users that can create user-defined functions to execute arbitrary code via a long function_name field. The updated packages have been patched to address these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 19918 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19918 title Mandrake Linux Security Advisory : MySQL (MDKSA-2005:163) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-180-2.NASL description USN-180-1 fixed a vulnerability in the mysql-server package (which ships version 4.0). Version 4.1 is vulnerable against the same flaw. Please note that this package is not officially supported in Ubuntu 5.10. Origial advisory : last seen 2020-06-01 modified 2020-06-02 plugin id 20760 published 2006-01-21 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20760 title Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-180-2)
References
- ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.18.1/SCOSA-2006.18.1.txt
- http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/035845.html
- http://marc.info/?l=bugtraq&m=112354450412427&w=2
- http://secunia.com/advisories/17027
- http://secunia.com/advisories/20381
- http://secunia.com/advisories/29847
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-236703-1
- http://www.appsecinc.com/resources/alerts/mysql/2005-002.html
- http://www.debian.org/security/2005/dsa-829
- http://www.debian.org/security/2005/dsa-831
- http://www.debian.org/security/2005/dsa-833
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:163
- http://www.novell.com/linux/security/advisories/2005_21_sr.html
- http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00005.html
- http://www.securityfocus.com/bid/14509
- http://www.vupen.com/english/advisories/2008/1326/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21737
- https://www.ubuntu.com/usn/usn-180-1/
- https://www.ubuntu.com/usn/usn-180-2/