Vulnerabilities > CVE-2009-4484 - Out-of-bounds Write vulnerability in multiple products
Summary
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | MySQL yaSSL CertDecoder::GetName Buffer Overflow. CVE-2009-4484. Remote exploit for linux platform |
id | EDB-ID:16850 |
last seen | 2016-02-02 |
modified | 2010-04-30 |
published | 2010-04-30 |
reporter | metasploit |
source | https://www.exploit-db.com/download/16850/ |
title | MySQL yaSSL CertDecoder::GetName Buffer Overflow |
Metasploit
description | This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL. |
id | MSF:EXPLOIT/LINUX/MYSQL/MYSQL_YASSL_GETNAME |
last seen | 2020-03-18 |
modified | 2017-07-24 |
published | 2010-01-27 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/mysql/mysql_yassl_getname.rb |
title | MySQL yaSSL CertDecoder::GetName Buffer Overflow |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-897-1.NASL description It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This issue only affected Ubuntu 8.10. (CVE-2008-4098) It was discovered that MySQL contained a cross-site scripting vulnerability in the command-line client when the --html option is enabled. An attacker could place arbitrary web script or html in a database cell, which would then get placed in the html document output by the command-line tool. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2008-4456) It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use symlinks combined with the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This issue only affected Ubuntu 9.10. (CVE-2008-7247) It was discovered that MySQL contained multiple format string flaws when logging database creation and deletion. An authenticated user could use specially crafted database names to make MySQL crash, causing a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2009-2446) It was discovered that MySQL incorrectly handled errors when performing certain SELECT statements, and did not preserve correct flags when performing statements that use the GeomFromWKB function. An authenticated user could exploit this to make MySQL crash, causing a denial of service. (CVE-2009-4019) It was discovered that MySQL incorrectly checked symlinks when using the DATA DIRECTORY and INDEX DIRECTORY options. A local user could use symlinks to create tables that pointed to tables known to be created at a later time, bypassing access restrictions. (CVE-2009-4030) It was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile. (CVE-2009-4484). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 44585 published 2010-02-11 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44585 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-897-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-897-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(44585); script_version("1.12"); script_cvs_date("Date: 2019/09/19 12:54:26"); script_cve_id("CVE-2008-4098", "CVE-2008-4456", "CVE-2008-7247", "CVE-2009-2446", "CVE-2009-4019", "CVE-2009-4030", "CVE-2009-4484"); script_bugtraq_id(29106, 31486, 35609, 37075, 37297, 37640, 37943, 38043); script_xref(name:"USN", value:"897-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-897-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This issue only affected Ubuntu 8.10. (CVE-2008-4098) It was discovered that MySQL contained a cross-site scripting vulnerability in the command-line client when the --html option is enabled. An attacker could place arbitrary web script or html in a database cell, which would then get placed in the html document output by the command-line tool. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2008-4456) It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use symlinks combined with the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This issue only affected Ubuntu 9.10. (CVE-2008-7247) It was discovered that MySQL contained multiple format string flaws when logging database creation and deletion. An authenticated user could use specially crafted database names to make MySQL crash, causing a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2009-2446) It was discovered that MySQL incorrectly handled errors when performing certain SELECT statements, and did not preserve correct flags when performing statements that use the GeomFromWKB function. An authenticated user could exploit this to make MySQL crash, causing a denial of service. (CVE-2009-4019) It was discovered that MySQL incorrectly checked symlinks when using the DATA DIRECTORY and INDEX DIRECTORY options. A local user could use symlinks to create tables that pointed to tables known to be created at a later time, bypassing access restrictions. (CVE-2009-4030) It was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile. (CVE-2009-4484). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/897-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MySQL yaSSL CertDecoder::GetName Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(59, 79, 119, 134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient15-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient15off"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient16-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqld-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqld-pic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client-5.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client-5.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-5.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-5.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-core-5.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-core-5.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/18"); script_set_attribute(attribute:"patch_publication_date", value:"2010/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(6\.06|8\.04|8\.10|9\.04|9\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04 / 9.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"libmysqlclient15-dev", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libmysqlclient15off", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-client", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-client-5.0", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-common", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-server", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-server-5.0", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libmysqlclient15-dev", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libmysqlclient15off", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-client", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-client-5.0", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-common", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-server", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-server-5.0", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libmysqlclient15-dev", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libmysqlclient15off", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-client", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-client-5.0", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-common", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-server", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-server-5.0", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libmysqlclient15-dev", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libmysqlclient15off", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-client", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-client-5.0", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-common", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-server", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-server-5.0", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-server-core-5.0", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqlclient-dev", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqlclient16", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqlclient16-dev", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqld-dev", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqld-pic", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-client", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-client-5.1", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-common", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-server", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-server-5.1", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-server-core-5.1", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmysqlclient-dev / libmysqlclient15-dev / libmysqlclient15off / etc"); }
NASL family Databases NASL id MYSQL_5_1_43_YASSL.NASL description The version of MySQL installed on the remote host is older than 5.0.90, 5.1.43 or 5.5.0-m2. Such versions use yaSSL prior to 1.9.9, that is vulnerable to multiple buffer overflows. These overflows allow a remote attacker to crash the server. last seen 2020-06-01 modified 2020-06-02 plugin id 17835 published 2012-01-18 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17835 title MySQL < 5.0.90 / 5.1.43 / 5.5.0-m2 Multiple Buffer Overflows NASL family SuSE Local Security Checks NASL id SUSE_MYSQL-6899.NASL description This update fixes various security issues (bnc#557669) : upstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484) last seen 2020-06-01 modified 2020-06-02 plugin id 49903 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49903 title SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899) NASL family SuSE Local Security Checks NASL id SUSE_MYSQL-6897.NASL description This update fixes various security issues (bnc#557669) : upstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484) last seen 2020-06-01 modified 2020-06-02 plugin id 45107 published 2010-03-19 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45107 title SuSE 10 Security Update : MySQL (ZYPP Patch Number 6897) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1397-1.NASL description Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to MySQL 5.0.95. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information : http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.ht ml. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 58325 published 2012-03-13 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58325 title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-1397-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1997.NASL description Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-4019 Domas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement. - CVE-2009-4030 Sergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory. - CVE-2009-4484 Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field. last seen 2020-06-01 modified 2020-06-02 plugin id 44861 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44861 title Debian DSA-1997-1 : mysql-dfsg-5.0 - several vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201201-02.NASL description The remote host is affected by the vulnerability described in GLSA-201201-02 (MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact : An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the MySQL process, cause a Denial of Service condition, bypass security restrictions, uninstall arbitrary MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting attacks. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 57446 published 2012-01-06 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57446 title GLSA-201201-02 : MySQL: Multiple vulnerabilities
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:19118 |
last seen | 2017-11-19 |
modified | 2010-02-13 |
published | 2010-02-13 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-19118 |
title | MySQL vulnerabilities |
Statements
contributor | Tomas Hoger |
lastmodified | 2010-01-26 |
organization | Red Hat |
statement | Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. The packages use OpenSSL and not yaSSL. |
References
- http://www.intevydis.com/blog/?p=57
- http://intevydis.com/vd-list.shtml
- http://www.securityfocus.com/bid/37640
- http://archives.neohapsis.com/archives/dailydave/2010-q1/0002.html
- http://isc.sans.org/diary.html?storyid=7900
- http://intevydis.com/mysql_demo.html
- http://www.intevydis.com/blog/?p=106
- http://securitytracker.com/id?1023402
- http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1
- http://www.vupen.com/english/advisories/2010/0233
- http://www.metasploit.com/modules/exploit/linux/mysql/mysql_yassl_getname
- http://securitytracker.com/id?1023513
- http://www.yassl.com/news.html#yassl199
- http://yassl.cvs.sourceforge.net/viewvc/yassl/yassl/taocrypt/src/asn.cpp?r1=1.13&r2=1.14
- http://secunia.com/advisories/38364
- http://lists.immunitysec.com/pipermail/dailydave/2010-January/006020.html
- http://intevydis.com/mysql_overflow1.py.txt
- http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html
- http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html
- http://secunia.com/advisories/37493
- http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html
- http://secunia.com/advisories/38344
- http://bugs.mysql.com/bug.php?id=50227
- http://lists.mysql.com/commits/96697
- http://www.vupen.com/english/advisories/2010/0236
- http://www.securityfocus.com/bid/37974
- http://www.yassl.com/release.html
- http://www.securityfocus.com/bid/37943
- http://www.osvdb.org/61956
- https://bugzilla.redhat.com/show_bug.cgi?id=555313
- http://www.debian.org/security/2010/dsa-1997
- http://secunia.com/advisories/38573
- http://secunia.com/advisories/38517
- http://ubuntu.com/usn/usn-897-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55416
- http://www.ubuntu.com/usn/USN-1397-1