Oracle MySQL Database BO (May 21, 2010)
MySQL is an open-source implementation of a relational database. The database uses the MySQL protocol to communicate with clients over the network. MySQL has a number of built-in SQL functions which are designed to help users with the task of querying and updating it.
The server listens for connections on TCP port 3306 by default. Interaction with the database starts after a client is successfully authenticated. The protocol relies on a generic request/response scheme wherein the client sends SQL queries and receives the resulting data sets. All packets share the following common 4-byte header:
Bytes Name ---------------------- 3 Packet Length (n) 1 Packet Number n Packet Data
The request/response mode is entered into after successful authentication. In all requests, the first byte of packet data is the command code.
A buffer overflow vulnerability exists in MySQL database server. The vulnerability is due to lack of input validation in the check_if_table_exists function. The vulnerable function copies user supplied data of a request into a fixed stack buffer without validating the length of the source data. As a result, critical stack data can be overwritten allowing for arbitrary code execution. A remote authenticated attacker can exploit this vulnerability by sending a crafted request to a target server. The impact of the vulnerability is mitigated by the requirement of a successful authentication. Successful exploitation may lead to process flow diversion.
SonicWall has released an IPS signature to address a specific exploit targeting this vulnerability. The following signature addresses this vulnerability:
- 5366 – MySQL COM_FIELD_LIST BO PoC
This vulnerability has been assigned the CVE-2010-1850 id by mitre.