cbcvebase.
CVE-2003-0780
published 2003-09-22

CVE-2003-0780: Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute…

PriorityP353critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
74.58%
99.4th percentile
Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.

Affected

65 ranges· showing 25
VendorProductVersion rangeFixed in
conectivalinux
conectivalinux
conectivalinux
mysqlmysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql
oraclemysql

Detection & IOCsextracted from sources · hover to see the quote

port3306
otherJMP *EAX return address: 0x42125b2b (glibc-2.2.93-5)
bytes
\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73
bytes
db31c03102b0c931c08580cd314b1b74cd07b0d2b0c03180 8980cd40b1c931c3cd25b009cd01b080cd17b08050c03180e3895040a2b0c931e0b180cde883c888940d0f70ac031c789e2894c4057525050244c8d51b3db3104cd66b00af8835980800575010974493ac031d2e2cdc38940b1fb8980493fb003e24180cd6e6851f86868732f69622f2f6851e389706c692d5251e28931e18953b0c031d29080cd0b
  • Exploit requires ALTER TABLE privileges on the mysql.user table; monitor for ALTER TABLE statements changing the Password column type to LONGTEXT on the mysql.user table.
  • Exploit triggers a buffer overflow via an oversized Password field (>16 characters) followed by FLUSH PRIVILEGES; monitor for UPDATE statements on mysql.user setting Password to strings far exceeding 16 characters.
  • Exploit connects to MySQL on TCP port 3306 and sends a raw FLUSH PRIVILEGES packet with the byte sequence \x11\x00\x00\x00\x03 followed by 'flush privileges'; detect this raw packet pattern on port 3306.
  • Exploit uses a fixed JMP *EAX return address 0x42125b2b targeting glibc-2.2.93-5; presence of this address in network traffic to port 3306 is a strong indicator of exploitation.
  • Exploit uses a PAD value of 19*4*2 (152 bytes) to align the overflow buffer; oversized password payloads of this structure sent to MySQL should be flagged.
  • The vulnerable function is get_salt_from_password in sql_acl.cc; stack traces or crash dumps referencing this function indicate exploitation attempts.
  • ·Exploitation requires the attacker to already possess global ALTER TABLE privileges on the MySQL server (i.e., administrative access); this is not an unauthenticated remote exploit.
  • ·The proof-of-concept exploit targets glibc-2.2.93-5 with a hardcoded return address (0x42125b2b); exploitation against other glibc versions would require a different return address.
  • ·Affected versions are MySQL 4.0.14 and earlier, and all 3.23.x releases; systems running later versions are not affected by this specific CVE.

CVSS provenance

nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.