Vulnerabilities > CVE-2006-3469 - Use of Externally-Controlled Format String vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 | |
| Application | 15 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Exploit-Db
| description | MySQL 4.x/5.x Server Date_Format Denial Of Service Vulnerability. CVE-2006-3469. Dos exploit for linux platform |
| id | EDB-ID:28234 |
| last seen | 2016-02-03 |
| modified | 2006-07-18 |
| published | 2006-07-18 |
| reporter | Christian Hammers |
| source | https://www.exploit-db.com/download/28234/ |
| title | MySQL 4.x/5.x Server Date_Format Denial of Service Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1112.NASL description Several local vulnerabilities have been discovered in the MySQL database server, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3081 last seen 2020-06-01 modified 2020-06-02 plugin id 22654 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22654 title Debian DSA-1112-1 : mysql-dfsg-4.1 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1112. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22654); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-3081", "CVE-2006-3469"); script_xref(name:"DSA", value:"1112"); script_name(english:"Debian DSA-1112-1 : mysql-dfsg-4.1 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local vulnerabilities have been discovered in the MySQL database server, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3081 'Kanatoko' discovered that the server can be crashed with feeding NULL values to the str_to_date() function. - CVE-2006-3469 Jean-David Maillefer discovered that the server can be crashed with specially crafted date_format() function calls." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373913" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375694" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3081" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3469" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1112" ); script_set_attribute( attribute:"solution", value: "Upgrade the mysql-dfsg-4.1 packages. For the stable distribution (sarge) these problems have been fixed in version 4.1.11a-4sarge5." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql-dfsg-4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libmysqlclient14", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"libmysqlclient14-dev", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"mysql-client-4.1", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"mysql-common-4.1", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"mysql-server-4.1", reference:"4.1.11a-4sarge5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-211-01.NASL description New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL last seen 2020-06-01 modified 2020-06-02 plugin id 24656 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24656 title Slackware 10.2 : mysql (SSA:2006-211-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-211-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24656); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-3469"); script_xref(name:"SSA", value:"2006-211-01"); script_name(english:"Slackware 10.2 : mysql (SSA:2006-211-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL's news article about the MySQL 4.1.21 Community Edition release here: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html" ); # http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html script_set_attribute( attribute:"see_also", value:"https://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html" ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.387994 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?200bc6d9" ); script_set_attribute(attribute:"solution", value:"Update the affected mysql package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.2", pkgname:"mysql", pkgver:"4.1.21", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FCB90EB02ACE11DBA6E2000E0C2E438A.NASL description Jean-David Maillefer reports a Denial of Service vulnerability within MySQL. The vulnerability is caused by improper checking of the data_format routine, which cause the MySQL server to crash. The crash is triggered by the following code: last seen 2020-06-01 modified 2020-06-02 plugin id 22213 published 2006-08-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22213 title FreeBSD : mysql -- format string vulnerability (fcb90eb0-2ace-11db-a6e2-000e0c2e438a) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-321-1.NASL description Jean-David Maillefer discovered a format string bug in the date_format() function last seen 2020-06-01 modified 2020-06-02 plugin id 27899 published 2007-11-10 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27899 title Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-321-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0768.NASL description Updated mysql packages that fix various security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user last seen 2020-06-01 modified 2020-06-02 plugin id 33585 published 2008-07-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33585 title RHEL 4 : mysql (RHSA-2008:0768) NASL family Scientific Linux Local Security Checks NASL id SL_20080724_MYSQL_ON_SL4_X.NASL description MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user last seen 2020-06-01 modified 2020-06-02 plugin id 60451 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60451 title Scientific Linux Security Update : mysql on SL4.x i386/x86_64 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-09.NASL description The remote host is affected by the vulnerability described in GLSA-200608-09 (MySQL: Denial of Service) Jean-David Maillefer discovered a format string vulnerability in time.cc where MySQL fails to properly handle specially formatted user input to the date_format function. Impact : By specifying a format string as the first parameter to the date_format function, an authenticated attacker could cause MySQL to crash, resulting in a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22167 published 2006-08-07 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22167 title GLSA-200608-09 : MySQL: Denial of Service NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) NASL family Databases NASL id MYSQL_4_1_21.NASL description The version of MySQL installed on the remote host is earlier than 4.1.21 / 5.0 and reportedly allows a remote, authenticated user to crash the server via a format string attack. last seen 2020-06-01 modified 2020-06-02 plugin id 17800 published 2012-01-16 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17800 title MySQL < 4.1.21 / 5.0 Denial of Service
Oval
| accepted | 2013-04-29T04:22:35.064-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9827 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message. | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2008-07-25 |
| organization | Red Hat |
| statement | This issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0768.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1, 3, or 5, and Red Hat Application Stack v1 and v2. |
References
- http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
- http://www.debian.org/security/2006/dsa-1112
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375694
- http://bugs.mysql.com/bug.php?id=20729
- http://www.securityfocus.com/bid/19032
- http://www.ubuntu.com/usn/usn-321-1
- http://secunia.com/advisories/21147
- http://security.gentoo.org/glsa/glsa-200608-09.xml
- http://secunia.com/advisories/21366
- http://docs.info.apple.com/article.html?artnum=305214
- http://secunia.com/advisories/24479
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://secunia.com/advisories/31226
- http://www.redhat.com/support/errata/RHSA-2008-0768.html
- http://www.vupen.com/english/advisories/2007/0930
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9827