Vulnerabilities > CVE-2006-3469 - USE of Externally-Controlled Format String vulnerability in multiple products

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

mysql

oracle

CWE-134

nessus

exploit available

NVD

Published: 2006-07-21

Updated: 2019-12-17

Summary

Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.

Vulnerable Configurations

Part	Description	Count
Application	Mysql Mysql Mysql 4.1.8 Mysql Mysql 4.1.12 Mysql Mysql 4.1.13 Mysql Mysql 4.1.14 Mysql Mysql 4.1.15 Mysql Mysql 5.0.5.0.21 Mysql Mysql 5.0.10 Mysql Mysql 5.0.15 Mysql Mysql 5.0.16 Mysql Mysql 5.0.17	10
Application	Oracle Oracle Mysql 4.1.6 Oracle Mysql 4.1.7 Oracle Mysql 4.1.9 Oracle Mysql 4.1.11 Oracle Mysql 4.1.16 Oracle Mysql 4.1.18 Oracle Mysql 4.1.19 Oracle Mysql 4.1.20 Oracle Mysql 5.0.6 Oracle Mysql 5.0.9 Oracle Mysql 5.0.11 Oracle Mysql 5.0.12 Oracle Mysql 5.0.13 Oracle Mysql 5.0.18 Oracle Mysql 5.0.19	15

Common Weakness Enumeration (CWE)

CWE-134 - Use of Externally-Controlled Format String

Common Attack Pattern Enumeration and Classification (CAPEC)

Format String Injection
An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
String Format Overflow in syslog()
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Exploit-Db

description	MySQL 4.x/5.x Server Date_Format Denial Of Service Vulnerability. CVE-2006-3469. Dos exploit for linux platform
id	EDB-ID:28234
last seen	2016-02-03
modified	2006-07-18
published	2006-07-18
reporter	Christian Hammers
source	https://www.exploit-db.com/download/28234/
title	MySQL 4.x/5.x Server Date_Format Denial of Service Vulnerability

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1112.NASL
description	Several local vulnerabilities have been discovered in the MySQL database server, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3081
last seen	2020-06-01
modified	2020-06-02
plugin id	22654
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22654
title	Debian DSA-1112-1 : mysql-dfsg-4.1 - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1112. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22654); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-3081", "CVE-2006-3469"); script_xref(name:"DSA", value:"1112"); script_name(english:"Debian DSA-1112-1 : mysql-dfsg-4.1 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local vulnerabilities have been discovered in the MySQL database server, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3081 'Kanatoko' discovered that the server can be crashed with feeding NULL values to the str_to_date() function. - CVE-2006-3469 Jean-David Maillefer discovered that the server can be crashed with specially crafted date_format() function calls." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373913" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375694" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3081" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-3469" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1112" ); script_set_attribute( attribute:"solution", value: "Upgrade the mysql-dfsg-4.1 packages. For the stable distribution (sarge) these problems have been fixed in version 4.1.11a-4sarge5." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql-dfsg-4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libmysqlclient14", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"libmysqlclient14-dev", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"mysql-client-4.1", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"mysql-common-4.1", reference:"4.1.11a-4sarge5")) flag++; if (deb_check(release:"3.1", prefix:"mysql-server-4.1", reference:"4.1.11a-4sarge5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2006-211-01.NASL
description	New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL
last seen	2020-06-01
modified	2020-06-02
plugin id	24656
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/24656
title	Slackware 10.2 : mysql (SSA:2006-211-01)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-211-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24656); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-3469"); script_xref(name:"SSA", value:"2006-211-01"); script_name(english:"Slackware 10.2 : mysql (SSA:2006-211-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL's news article about the MySQL 4.1.21 Community Edition release here: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html" ); # http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html script_set_attribute( attribute:"see_also", value:"https://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html" ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.387994 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?200bc6d9" ); script_set_attribute(attribute:"solution", value:"Update the affected mysql package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.2", pkgname:"mysql", pkgver:"4.1.21", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_FCB90EB02ACE11DBA6E2000E0C2E438A.NASL
description	Jean-David Maillefer reports a Denial of Service vulnerability within MySQL. The vulnerability is caused by improper checking of the data_format routine, which cause the MySQL server to crash. The crash is triggered by the following code:
last seen	2020-06-01
modified	2020-06-02
plugin id	22213
published	2006-08-14
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22213
title	FreeBSD : mysql -- format string vulnerability (fcb90eb0-2ace-11db-a6e2-000e0c2e438a)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-321-1.NASL
description	Jean-David Maillefer discovered a format string bug in the date_format() function
last seen	2020-06-01
modified	2020-06-02
plugin id	27899
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27899
title	Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-321-1)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2008-0768.NASL
description	Updated mysql packages that fix various security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user
last seen	2020-06-01
modified	2020-06-02
plugin id	33585
published	2008-07-25
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/33585
title	RHEL 4 : mysql (RHSA-2008:0768)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20080724_MYSQL_ON_SL4_X.NASL
description	MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user
last seen	2020-06-01
modified	2020-06-02
plugin id	60451
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60451
title	Scientific Linux Security Update : mysql on SL4.x i386/x86_64

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200608-09.NASL
description	The remote host is affected by the vulnerability described in GLSA-200608-09 (MySQL: Denial of Service) Jean-David Maillefer discovered a format string vulnerability in time.cc where MySQL fails to properly handle specially formatted user input to the date_format function. Impact : By specifying a format string as the first parameter to the date_format function, an authenticated attacker could cause MySQL to crash, resulting in a Denial of Service. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	22167
published	2006-08-07
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22167
title	GLSA-200608-09 : MySQL: Denial of Service

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_10_4_9.NASL
description	The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
last seen	2020-06-01
modified	2020-06-02
plugin id	24811
published	2007-03-13
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24811
title	Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)

NASL family	Databases
NASL id	MYSQL_4_1_21.NASL
description	The version of MySQL installed on the remote host is earlier than 4.1.21 / 5.0 and reportedly allows a remote, authenticated user to crash the server via a format string attack.
last seen	2020-06-01
modified	2020-06-02
plugin id	17800
published	2012-01-16
reporter	This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/17800
title	MySQL < 4.1.21 / 5.0 Denial of Service

Oval

accepted

2013-04-29T04:22:35.064-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

family

unix

oval:org.mitre.oval:def:9827

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

rhsa

id	RHSA-2008:0768

rpms

mysql-0:4.1.22-2.el4
mysql-bench-0:4.1.22-2.el4
mysql-debuginfo-0:4.1.22-2.el4
mysql-devel-0:4.1.22-2.el4
mysql-server-0:4.1.22-2.el4

Statements

contributor	Mark J Cox
lastmodified	2008-07-25
organization	Red Hat
statement	This issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0768.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1, 3, or 5, and Red Hat Application Stack v1 and v2.