CVE-2006-1516
published 2006-05-05CVE-2006-1516: The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions…
PriorityP338medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
33.50%
98.2th percentile
The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.
Affected
67 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x3d,0x00,0x00,0x01,0x0d,0xa6,0x03,0x00,0x00,0x00,0x00,0x01,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x41,0x41,0x41,0x41,0x41,0x41,0x14,0x99,0xdb,0x54,0xb6,0x6a,0xd7,0xc2,0x86,0x4c,0x50,0xa8,0x14,0xfe,0x2e,0x98,0x27,0x72,0x0d,0xad,0x45,0x73,0x00
- →Detect malformed MySQL login packets containing a username field with no trailing null byte — the exploit sends a crafted anonymous login packet (65 bytes) to trigger a buffer over-read in check_connection(). ↗
- →Monitor MySQL login traffic for anonymous login attempts (empty/null username) without a null terminator; the exploit uses a fixed 65-byte packet with 0x41 padding in the username field. ↗
- →The vulnerable code path is the check_connection function in sql_parse.cc; patch or upgrade to MySQL 4.0.27+, 4.1.19+, or 5.0.21+ to remediate. ↗
- ·The exploit supports both TCP and Unix domain socket (USOCK) connection modes; detection via network signatures will miss local Unix socket exploitation. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2006-05-08·CVSS 5.0
CVE-2006-1516 [MEDIUM] MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: MySQL vulnerabilities
Stefano Di Paola discovered an information leak in the login packet
parser. By sending a specially crafted malformed login packet, a
remote attacker could exploit this to read a random piece of memory,
which could potentially reveal sensitive data. (CVE-2006-1516)
Stefano Di Paola also found a similar information leak in the parser
for the COM_TABLE_DUMP request. (CVE-2006-1517)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
security flaw
vendor_redhat·2006-05-02·CVSS 5.0
CVE-2006-1516 [MEDIUM] security flaw
security flaw
The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.
GHSA
GHSA-8q78-357r-r6m7: The check_connection function in sql_parse
ghsa_unreviewed·2022-05-01
CVE-2006-1516 [MEDIUM] GHSA-8q78-357r-r6m7: The check_connection function in sql_parse
The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.
No detection rules found.
Bugzilla
CVE-2006-1516 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2006-1516 [MEDIUM] CVE-2006-1516 security flaw
CVE-2006-1516 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.
Bugzilla
CVE-2006-1516 mysql anonymous login information leak
bugzilla·2006-05-05·CVSS 5.0
CVE-2006-1516 [MEDIUM] CVE-2006-1516 mysql anonymous login information leak
CVE-2006-1516 mysql anonymous login information leak
The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x
up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of
memory via a username without a trailing null byte, which causes a buffer over-read.
http://www.wisec.it/vulns.php?page=7
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0544.html
Bugzilla
CVE-2006-1516 mysql anonymous login information leak
bugzilla·2006-05-05·CVSS 5.0
CVE-2006-1516 [MEDIUM] CVE-2006-1516 mysql anonymous login information leak
CVE-2006-1516 mysql anonymous login information leak
+++ This bug was initially created as a clone of Bug #190863 +++
The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x
up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of
memory via a username without a trailing null byte, which causes a buffer over-read.
http://www.wisec.it/vulns.php?page=7
This issue also affects FC4
Discussion:
5.0.21 is pushed into FC5, and 4.1.19 into FC4.
Bugzilla
CVE-2006-0903 Mysql multiple vulnerabilities (
bugzilla·2006-04-07·CVSS 4.6
CVE-2006-0903 [MEDIUM] CVE-2006-0903 Mysql multiple vulnerabilities (
CVE-2006-0903 Mysql multiple vulnerabilities (
+++ This bug was initially created as a clone of Bug #183261 +++
Mysql log file obfuscation
http://secunia.com/advisories/19034
The following text is from tgl:
Yeah, problem confirmed locally: the query log message is truncated,
060227 11:15:47 6 Connect root@localhost on test
6 Query /* x */ select 2+2
6 Quit
060227 11:16:24 7 Connect root@localhost on test
7 Query /*
7 Quit
The report is perhaps deliberately obscure: you can *not* exploit this
through mysql_query() because it expects a null-terminated string
anyway. But you can exploit it through mysql_real_query() which takes
a pointer and count.
I'd class the severity as pretty low, since all it allows is hiding
some traces of an attack after the attacker has already broken into
th
http://bugs.debian.org/365938http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.htmlhttp://docs.info.apple.com/article.html?artnum=305214http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://lists.suse.com/archive/suse-security-announce/2006-Jun/0011.htmlhttp://secunia.com/advisories/19929http://secunia.com/advisories/20002http://secunia.com/advisories/20073http://secunia.com/advisories/20076http://secunia.com/advisories/20223http://secunia.com/advisories/20241http://secunia.com/advisories/20253http://secunia.com/advisories/20333http://secunia.com/advisories/20424http://secunia.com/advisories/20457http://secunia.com/advisories/20625http://secunia.com/advisories/20762http://secunia.com/advisories/24479http://secunia.com/advisories/29847http://securityreason.com/securityalert/840http://securitytracker.com/id?1016017http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.599377http://sunsolve.sun.com/search/document.do?assetkey=1-26-236703-1http://www.debian.org/security/2006/dsa-1071http://www.debian.org/security/2006/dsa-1073http://www.debian.org/security/2006/dsa-1079http://www.gentoo.org/security/en/glsa/glsa-200605-13.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:084http://www.novell.com/linux/security/advisories/2006-06-02.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0544.htmlhttp://www.securityfocus.com/archive/1/432733/100/0/threadedhttp://www.securityfocus.com/archive/1/434164/100/0/threadedhttp://www.securityfocus.com/bid/17780http://www.trustix.org/errata/2006/0028http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vupen.com/english/advisories/2006/1633http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2008/1326/referenceshttp://www.wisec.it/vulns.php?page=7https://exchange.xforce.ibmcloud.com/vulnerabilities/26236https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9918https://usn.ubuntu.com/283-1/http://bugs.debian.org/365938http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.htmlhttp://docs.info.apple.com/article.html?artnum=305214http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://lists.suse.com/archive/suse-security-announce/2006-Jun/0011.htmlhttp://secunia.com/advisories/19929http://secunia.com/advisories/20002http://secunia.com/advisories/20073http://secunia.com/advisories/20076http://secunia.com/advisories/20223http://secunia.com/advisories/20241http://secunia.com/advisories/20253http://secunia.com/advisories/20333http://secunia.com/advisories/20424http://secunia.com/advisories/20457http://secunia.com/advisories/20625http://secunia.com/advisories/20762http://secunia.com/advisories/24479http://secunia.com/advisories/29847http://securityreason.com/securityalert/840http://securitytracker.com/id?1016017http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.599377http://sunsolve.sun.com/search/document.do?assetkey=1-26-236703-1http://www.debian.org/security/2006/dsa-1071http://www.debian.org/security/2006/dsa-1073http://www.debian.org/security/2006/dsa-1079http://www.gentoo.org/security/en/glsa/glsa-200605-13.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:084http://www.novell.com/linux/security/advisories/2006-06-02.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0544.htmlhttp://www.securityfocus.com/archive/1/432733/100/0/threadedhttp://www.securityfocus.com/archive/1/434164/100/0/threadedhttp://www.securityfocus.com/bid/17780http://www.trustix.org/errata/2006/0028http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vupen.com/english/advisories/2006/1633http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2008/1326/referenceshttp://www.wisec.it/vulns.php?page=7https://exchange.xforce.ibmcloud.com/vulnerabilities/26236https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9918https://usn.ubuntu.com/283-1/
2006-05-05
Published