Percona Server with XtraDB

Oracle fix for CVE-2012-5611 is incomplete

Reported by Laurynas Biveinis on 2013-06-02
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server
Status tracked in 5.6
5.1
High
Unassigned
5.5
High
Unassigned
5.6
High
Unassigned

Bug Description

This is for Oracle MySQL 5.1/5.5/5.6 and Percona Server 5.6. Percona Server 5.1/5.5 has the MariaDB fix and is not affected. The impact of this bug is two bytes overwritten on stack, which should not be enough for remote code execution.

[2 Jun 14:48] Laurynas Biveinis

Description:
Fix for bug CVE-2012-5611 (bug 67685?) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld.

The fix at 3853.1.1 attempted to check for overflow:

  copy_length= (size_t) (strlen(ip ? ip : "") +
                 strlen(user ? user : "") +
                 strlen(db ? db : ""));
  if (copy_length >= ACL_KEY_LENGTH)
    DBUG_RETURN(0);

And here is how the buffer is filled:

  end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);

Both "+1"s are not accounted for in the copy_length check.

How to repeat:
Add

  if (end - key > ACL_KEY_LENGTH)
    fprintf(stderr, "end - key = %d\n", (int)(end - key));

after the strmov(), run this, observe end - key > ACL_KEY_LENGTH, twice. Also should give an asan but not Valgrind errors.

--source include/not_embedded.inc
--source include/count_sessions.inc

grant usage on *.* to mysqltest_1@localhost;
connect (con1, localhost, mysqltest_1,,);
connection con1;
select 1 from information_schema.tables where table_schema=repeat('a', 246);
select 1 from information_schema.tables where table_schema=repeat('a', 245);
connection default;
disconnect con1;
drop user mysqltest_1@localhost;

--source include/wait_until_count_sessions.inc

Suggested fix:
copy_length= ... + 2;

CVE References

summary: - Fix for CVE-2012-5611 is incomplete
+ Oracle fix for CVE-2012-5611 is incomplete

Percona Server 5.6 is affected, the MariaDB has been dropped in porting incorrectly.

tags: added: upstream
description: updated

Upstream fix in 5.1.73 / 5.5.35 / 5.6.15.

David Busby (d-busby) wrote :

FWIW:

Testing on PS 5.5.34-32 x86_64 (Fedora 19 x86_64)

p.o.c. code: http://www.exploit-db.com/exploits/23075/ and tested.

This yeilded the following result:

DBD::mysql::st execute failed: Incorrect usage of DB GRANT and GLOBAL PRIVILEGES at /tmp/cve-2012-5611 line 11.
DBD::mysql::st execute failed: Incorrect usage of DB GRANT and GLOBAL PRIVILEGES at /tmp/cve-2012-5611 line 11

Mysqld did not crash however the user was still created absent grants:

---
mysql> show grants for 'user'@'%';
+-----------------------------------------------------------------------------------------------------+
| Grants for user@% |
+-----------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user'@'%' IDENTIFIED BY PASSWORD '*' |
+-----------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
---

David Busby (d-busby) wrote :

Tested PS 5.6.14-56

Also attained:

DBD::mysql::st execute failed: Incorrect usage of DB GRANT and GLOBAL PRIVILEGES at /tmp/cve-2012-5611 line 11.
DBD::mysql::st execute failed: Incorrect usage of DB GRANT and GLOBAL PRIVILEGES at /tmp/cve-2012-5611 line 11.

No crash was observed.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.