Timeline :
Public release of the vulnerabilities the 2012-03-21
Details of the vulnerability published by Oracle the 2012-04-10
PoC provided by Oracle the 2012-03-21 in the source code of 5.5.22 and 5.1.62
PoC provided by :
Oracle
Reference(s) :
SA48744
MySQL 5.5.22 release note
MySQL 5.1.62 release note
Eric Romang Pastebin
Affected version(s) :
MySQL Server 5.5.21 and previous versions
MySQL Server 5.1.61 and previous versions
Tested on Centos 5 with :
MySQL 5.5.21
Description :
Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.
Commands :
mysql -u root -p database < innodb_bug13510739.test
That MySQL server has crashing bugs when garbage is fed down the connection has been well known inside the MySQL developer community and inside the network security community for many years. It’s a trivial exercise to find them: just run a standard jabber test against MySQL, and it’s almost as trivial to generate repeatable generator scripts.
There is very little of useful knowledge here.
Weaponized exploit scripts against MySQL are widely available inside the various penetration and security communities, including other bugs than the ones fixed here. No new risks have been introduced by this “leak”, and more security and more understanding of security is now available.
Hi Mark,
The DoS in it self is not the subject. The subject of this demonstration is that Oracle pretend to secure MySQL by “obscurity”, and that “obscurity” in “open source” world is not the best approach.
Regards
Thank you for sharing this Poc! Is there a fix available?