Vulnerabilities > CVE-2005-2558 - Buffer Overflow vulnerability in MySQL User-Defined Function

CVSS 4.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

low complexity

mysql

oracle

nessus

NVD

Published: 2005-08-16

Updated: 2019-12-17

Summary

Stack-based buffer overflow in the init_syms function in MySQL 4.0 before 4.0.25, 4.1 before 4.1.13, and 5.0 before 5.0.7-beta allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field.

Vulnerable Configurations

Part	Description	Count
Application	Mysql Mysql Mysql 4.1.0 Mysql Mysql 4.1.3 Mysql Mysql 4.1.10 Mysql Mysql 5.0.1 Mysql Mysql 5.0.2 Mysql Mysql 5.0.3 Mysql Mysql 5.0.4	7
Application	Oracle Oracle Mysql 4.0.0 Oracle Mysql 4.0.1 Oracle Mysql 4.0.2 Oracle Mysql 4.0.3 Oracle Mysql 4.0.4 Oracle Mysql 4.0.5 Oracle Mysql 4.0.5A Oracle Mysql 4.0.6 Oracle Mysql 4.0.7 Oracle Mysql 4.0.8 Oracle Mysql 4.0.9 Oracle Mysql 4.0.10 Oracle Mysql 4.0.11 Oracle Mysql 4.0.12 Oracle Mysql 4.0.13 Oracle Mysql 4.0.14 Oracle Mysql 4.0.15 Oracle Mysql 4.0.18 Oracle Mysql 4.0.20 Oracle Mysql 4.0.21 Oracle Mysql 4.0.24 Oracle Mysql 4.1.0 Oracle Mysql 4.1.2 Oracle Mysql 4.1.3 Oracle Mysql 4.1.4 Oracle Mysql 4.1.5 Oracle Mysql 5.0.0	31

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-831.NASL
description	A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3
last seen	2020-06-01
modified	2020-06-02
plugin id	19800
published	2005-10-05
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19800
title	Debian DSA-831-1 : mysql-dfsg - buffer overflow
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-831. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19800); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2558"); script_bugtraq_id(14509); script_xref(name:"DSA", value:"831"); script_name(english:"Debian DSA-831-1 : mysql-dfsg - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-831" ); script_set_attribute(attribute:"solution", value:"Upgrade the mysql-dfsg packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql-dfsg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libmysqlclient12", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libmysqlclient12-dev", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"mysql-client", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"mysql-common", reference:"4.0.24-10sarge1")) flag++; if (deb_check(release:"3.1", prefix:"mysql-server", reference:"4.0.24-10sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-829.NASL
description	A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3
last seen	2020-06-01
modified	2020-06-02
plugin id	19798
published	2005-10-05
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19798
title	Debian DSA-829-1 : mysql - buffer overflow
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-829. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19798); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2558"); script_bugtraq_id(14509); script_xref(name:"DSA", value:"829"); script_name(english:"Debian DSA-829-1 : mysql - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-829" ); script_set_attribute(attribute:"solution", value:"Upgrade the mysql packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libmysqlclient10", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"libmysqlclient10-dev", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"mysql-client", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"mysql-common", reference:"3.23.49-8.14")) flag++; if (deb_check(release:"3.0", prefix:"mysql-doc", reference:"3.23.49-8.5")) flag++; if (deb_check(release:"3.0", prefix:"mysql-server", reference:"3.23.49-8.14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-180-1.NASL
description	AppSecInc Team SHATTER discovered a buffer overflow in the
last seen	2020-06-01
modified	2020-06-02
plugin id	20591
published	2006-01-15
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20591
title	Ubuntu 4.10 / 5.04 : mysql-dfsg vulnerability (USN-180-1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-180-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20591); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-2558"); script_xref(name:"USN", value:"180-1"); script_name(english:"Ubuntu 4.10 / 5.04 : mysql-dfsg vulnerability (USN-180-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "AppSecInc Team SHATTER discovered a buffer overflow in the 'CREATE FUNCTION' statement. By specifying a specially crafted long function name, a local or remote attacker with function creation privileges could crash the server or execute arbitrary code with server privileges. However, the right to create function is usually not granted to untrusted users. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient12-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10\|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"libmysqlclient-dev", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libmysqlclient12", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"mysql-client", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"mysql-common", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"mysql-server", pkgver:"4.0.20-2ubuntu1.6")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"libmysqlclient12", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"libmysqlclient12-dev", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"mysql-client", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"mysql-common", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"mysql-server", pkgver:"4.0.23-3ubuntu2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmysqlclient-dev / libmysqlclient12 / libmysqlclient12-dev / etc"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-833.NASL
description	This update only covers binary packages for the big endian MIPS architecture that was mysteriously forgotten in the earlier update. For completeness below is the original advisory text : A stack-based buffer overflow in the init_syms function of MySQL, a popular database, has been discovered that allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field. The ability to create user-defined functions is not typically granted to untrusted users. The following vulnerability matrix explains which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3
last seen	2020-06-01
modified	2020-06-02
plugin id	19802
published	2005-10-05
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19802
title	Debian DSA-833-2 : mysql-dfsg-4.1 - buffer overflow

NASL family	Databases
NASL id	MYSQL_INIT_SYMS_BUFFER_OVERFLOW.NASL
description	According to its version number, the installation of MySQL on the remote host is potentially affected by two flaws : - A buffer overflow can be triggered when copying the name of a user-defined function into a stack-based buffer. With sufficient access to create a user-defined function, an attacker may be able to exploit this and execute arbitrary code within the context of the affected database server process. (CVE-2005-2558) - The mysql_create_function is not fully protected against directory traversal attacks. On Windows, arbitrary files can be included by using backslash characters. (CVE-2005-2573)
last seen	2020-06-01
modified	2020-06-02
plugin id	19416
published	2005-08-10
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19416
title	MySQL < 4.0.25 / 4.1.13 / 5.0.7 Multiple Vulnerabilies

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-163.NASL
description	A stack-based buffer overflow was discovered in the init_syms function in MySQL that allows authenticated users that can create user-defined functions to execute arbitrary code via a long function_name field. The updated packages have been patched to address these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	19918
published	2005-10-05
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19918
title	Mandrake Linux Security Advisory : MySQL (MDKSA-2005:163)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-180-2.NASL
description	USN-180-1 fixed a vulnerability in the mysql-server package (which ships version 4.0). Version 4.1 is vulnerable against the same flaw. Please note that this package is not officially supported in Ubuntu 5.10. Origial advisory :
last seen	2020-06-01
modified	2020-06-02
plugin id	20760
published	2006-01-21
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20760
title	Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-180-2)

Summary

Vulnerable Configurations

Nessus

References