CVE-2008-0226
published 2008-01-10CVE-2008-0226: Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1)…
PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
91.60%
99.8th percentile
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Affected
74 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x0F\xFF (SSL Hello packet trigger bytes preceding overflow buffer)
bytes↗
0x01000020 (first packet header, little-endian)
bytes↗
0x00008daa 0x40000000 0x00000008 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x03010000 0x00000001 (malicious SSL Hello message body)
- →Detect exploitation attempts by monitoring for oversized SSL Hello messages (~3965+ bytes of alphanumeric padding) sent to MySQL port 3306, preceded by the byte sequence \x00\x0F\xFF. ↗
- →The exploit sends exactly two TCP payloads to port 3306: a 4-byte header packet (0x01000020) followed by the large malformed SSL Hello packet. Detecting this two-packet sequence on MySQL's port is a strong indicator of CVE-2008-0226 exploitation. ↗
- →The vulnerable code paths are ProcessOldClientHello in handshake.cpp and input_buffer& operator>> in yassl_imp.cpp within yaSSL 1.7.5 and earlier. Presence of yaSSL ≤1.7.5 bundled with MySQL ≤6.0 on a network-accessible port 3306 constitutes an exploitable attack surface. ↗
- →Bad characters used by the exploit payload are \x00\x20\x0a\x0d\x2f\x2b\x0b\x5c — IDS/IPS rules inspecting SSL Hello content on port 3306 should flag payloads that avoid these bytes while containing large blocks of alphanumeric shellcode. ↗
- ·Red Hat Enterprise Linux (2.1, 3, 4, 5) and Red Hat Application Stack v1/v2 are NOT vulnerable because their MySQL packages are not built with yaSSL support. ↗
- ·Ubuntu 6.06 is not affected in the default installation (CVE-2008-0226/CVE-2008-0227 did not affect it by default). ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MySQL regression
vendor_ubuntu·2008-04-02·CVSS 3.5
CVE-2007-2692 [LOW] MySQL regression
Title: MySQL regression
Summary: MySQL regression
USN-588-1 fixed vulnerabilities in MySQL. In fixing CVE-2007-2692 for
Ubuntu 6.06, additional improvements were made to make privilege checks
more restictive. As a result, an upstream bug was exposed which could
cause operations on tables or views in a different database to fail. This
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Masaaki Hirose discovered that MySQL could be made to dereference
a NULL pointer. An authenticated user could cause a denial of service
(application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA
table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232)
Alexander Nozdrin discovered that MySQL did not restore database access
privileges when ret
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2008-03-19·CVSS 3.5
CVE-2008-0226 [LOW] MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: MySQL vulnerabilities
Masaaki Hirose discovered that MySQL could be made to dereference
a NULL pointer. An authenticated user could cause a denial of service
(application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA
table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232)
Alexander Nozdrin discovered that MySQL did not restore database access
privileges when returning from SQL SECURITY INVOKER stored routines. An
authenticated user could exploit this to gain privileges. This issue
does not affect Ubuntu 7.10. (CVE-2007-2692)
Martin Friebe discovered that MySQL did not properly update the DEFINER
value of an altered view. An authenticated user could use CREATE SQL
SECURITY DEFINER VIEW and ALTER VIEW statements to gain pri
Red Hat
CVE-2008-0226: Multiple buffer overflows in yaSSL 1
vendor_redhat·CVSS 7.5
CVE-2008-0226 [HIGH] CVE-2008-0226: Multiple buffer overflows in yaSSL 1
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Statement: Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support.
GHSA
GHSA-62p8-jm49-f9f2: Multiple buffer overflows in yaSSL 1
ghsa_unreviewed·2022-05-01
CVE-2008-0226 [HIGH] CWE-119 GHSA-62p8-jm49-f9f2: Multiple buffer overflows in yaSSL 1
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
No detection rules found.
Exploit-DB
MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-0226 MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)
MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)
---
##
# $Id: mysql_yassl_hello.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MySQL yaSSL SSL Hello Message Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)
implementation bundled with MySQL [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195' ],
[ 'BID', '27140' ],
],
'Privileged' => false
Exploit-DB
MySQL yaSSL (Windows) - SSL Hello Message Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-0226 MySQL yaSSL (Windows) - SSL Hello Message Buffer Overflow (Metasploit)
MySQL yaSSL (Windows) - SSL Hello Message Buffer Overflow (Metasploit)
---
##
# $Id: mysql_yassl_hello.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MySQL yaSSL SSL Hello Message Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)
implementation bundled with MySQL [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195'],
[ 'BID', '27140' ],
],
'Privileged' => true,
Exploit-DB
MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)
exploitdb·2008-01-04
CVE-2008-0226 MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)
MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MySQL yaSSL SSL Hello Message Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the yaSSL (1.7.5 and earlier)
implementation bundled with MySQL [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195' ],
[ 'BID', '27140' ],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 100,
'BadChars' => "\x00\x20\x0a\x0d\x2f\
Metasploit
MySQL yaSSL SSL Hello Message Buffer Overflow
metasploit
MySQL yaSSL SSL Hello Message Buffer Overflow
MySQL yaSSL SSL Hello Message Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://bugs.mysql.com/33814http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.htmlhttp://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://secunia.com/advisories/28324http://secunia.com/advisories/28419http://secunia.com/advisories/28597http://secunia.com/advisories/29443http://secunia.com/advisories/32222http://securityreason.com/securityalert/3531http://support.apple.com/kb/HT3216http://www.debian.org/security/2008/dsa-1478http://www.mandriva.com/security/advisories?name=MDVSA-2008:150http://www.securityfocus.com/archive/1/485810/100/0/threadedhttp://www.securityfocus.com/archive/1/485811/100/0/threadedhttp://www.securityfocus.com/bid/27140http://www.securityfocus.com/bid/31681http://www.ubuntu.com/usn/usn-588-1http://www.vupen.com/english/advisories/2008/0560/referenceshttp://www.vupen.com/english/advisories/2008/2780https://exchange.xforce.ibmcloud.com/vulnerabilities/39429https://exchange.xforce.ibmcloud.com/vulnerabilities/39431http://bugs.mysql.com/33814http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.htmlhttp://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://secunia.com/advisories/28324http://secunia.com/advisories/28419http://secunia.com/advisories/28597http://secunia.com/advisories/29443http://secunia.com/advisories/32222http://securityreason.com/securityalert/3531http://support.apple.com/kb/HT3216http://www.debian.org/security/2008/dsa-1478http://www.mandriva.com/security/advisories?name=MDVSA-2008:150http://www.securityfocus.com/archive/1/485810/100/0/threadedhttp://www.securityfocus.com/archive/1/485811/100/0/threadedhttp://www.securityfocus.com/bid/27140http://www.securityfocus.com/bid/31681http://www.ubuntu.com/usn/usn-588-1http://www.vupen.com/english/advisories/2008/0560/referenceshttp://www.vupen.com/english/advisories/2008/2780https://exchange.xforce.ibmcloud.com/vulnerabilities/39429https://exchange.xforce.ibmcloud.com/vulnerabilities/39431
2008-01-10
Published