CVE-2009-4484
published 2009-12-30CVE-2009-4484: Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x…
PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.55%
99.3th percentile
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| mariadb | mariadb | >= 5.1 < 5.1.42 | 5.1.42 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| oracle | mysql | — | — |
| oracle | mysql | >= 5.0.0 < 5.0.90 | 5.0.90 |
| oracle | mysql | >= 5.1.0 < 5.1.43 | 5.1.43 |
| wolfssl | yassl | < 1.9.9 | 1.9.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for SSL handshakes to MySQL port 3306 that include an X.509 client certificate with an oversized or malformed name field (CN/O/OU etc.) in the Subject or Issuer fields. ↗
- →Monitor MySQL servers for inbound SSL connections on TCP/3306 from hosts that are not expected to present client certificates; the exploit requires the attacker to pass host-based authentication and the server must be manually configured to use SSL. ↗
- →MySQL builds linked against OpenSSL (rather than the bundled yaSSL) are not affected; audit MySQL binary linkage to determine exposure — Red Hat/Fedora packages using OpenSSL are not vulnerable. ↗
- →On Windows targets, /GS and /SafeSEH compiler protections in MySQL 5.5.0-m2 successfully block exploitation; on Linux, GCC FORTIFY_SOURCE also mitigates the overflow in some builds — flag unprotected Linux MySQL builds (5.0.x < 5.0.90, 5.1.x < 5.1.43) using yaSSL as high-priority patching targets. ↗
- ·Vulnerability only exists in MySQL builds that bundle yaSSL (versions before 1.9.9); MySQL packages linked against system OpenSSL (e.g., all Red Hat Enterprise Linux and Fedora packages) are completely unaffected. ↗
- ·Exploitation requires a non-default server configuration: SSL must be manually enabled, the server must listen on an accessible network interface, and the attacker must be able to pass host-based authentication. ↗
- ·The SUSE 11 binary package does not contain yaSSL or support SSL, making it not exploitable despite being mentioned in the original blog post. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
CVE-2009-4484: NIST NVD Details: https://nvd
vendor_msrc·2020-09-08·CVSS 7.5
CVE-2009-4484 [HIGH] CVE-2009-4484: NIST NVD Details: https://nvd
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2009-4484
Mariner: Mariner
[email protected]: [email protected]
Exploit Status: DOS:N/A
Remediation: kernel
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2012-03-12
CVE-2007-5925 MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10,
Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to
MySQL 5.0.95.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2010-02-10·CVSS 4.6
CVE-2008-7247 [MEDIUM] MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: MySQL vulnerabilities
It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the DATA
DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks.
This update alters table creation behaviour by disallowing the use of the
MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This
issue only affected Ubuntu 8.10. (CVE-2008-4098)
It was discovered that MySQL contained a cross-site scripting vulnerability
in the command-line client when the --html option is enabled. An attacker
could place arbitrary web script or html in a database cell, which would
then get placed in the html document output by the command-line tool. This
issue only affected Ubuntu
Red Hat
mysql: yaSSL certificate parsing buffer overflow (vulndisco)
vendor_redhat·2010-01-25·CVSS 7.5
CVE-2009-4484 [HIGH] CWE-228 mysql: yaSSL certificate parsing buffer overflow (vulndisco)
mysql: yaSSL certificate parsing buffer overflow (vulndisco)
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.
Statement: Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3
GHSA
GHSA-r9xr-rjgc-3q5h: Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn
ghsa_unreviewed·2022-05-02
CVE-2009-4484 [HIGH] CWE-787 GHSA-r9xr-rjgc-3q5h: Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn
Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.
No detection rules found.
Exploit-DB
MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-4484 MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)
MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)
---
##
# $Id: mysql_yassl_getname.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MySQL yaSSL CertDecoder::GetName Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)
implementation bundled with MySQL. By sending a specially crafted
client certificate, an attacker can execute arbitrary code.
This vulnerability is present within the CertDecoder::GetName function inside
"taocryp
Metasploit
MySQL yaSSL CertDecoder::GetName Buffer Overflow
metasploit
MySQL yaSSL CertDecoder::GetName Buffer Overflow
MySQL yaSSL CertDecoder::GetName Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. Dur
http://archives.neohapsis.com/archives/dailydave/2010-q1/0002.htmlhttp://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1http://bugs.mysql.com/bug.php?id=50227http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.htmlhttp://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.htmlhttp://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.htmlhttp://intevydis.com/mysql_demo.htmlhttp://intevydis.com/mysql_overflow1.py.txthttp://intevydis.com/vd-list.shtmlhttp://isc.sans.org/diary.html?storyid=7900http://lists.immunitysec.com/pipermail/dailydave/2010-January/006020.htmlhttp://lists.mysql.com/commits/96697http://secunia.com/advisories/37493http://secunia.com/advisories/38344http://secunia.com/advisories/38364http://secunia.com/advisories/38517http://secunia.com/advisories/38573http://securitytracker.com/id?1023402http://securitytracker.com/id?1023513http://ubuntu.com/usn/usn-897-1http://www.debian.org/security/2010/dsa-1997http://www.intevydis.com/blog/?p=106http://www.intevydis.com/blog/?p=57http://www.metasploit.com/modules/exploit/linux/mysql/mysql_yassl_getnamehttp://www.osvdb.org/61956http://www.securityfocus.com/bid/37640http://www.securityfocus.com/bid/37943http://www.securityfocus.com/bid/37974http://www.ubuntu.com/usn/USN-1397-1http://www.vupen.com/english/advisories/2010/0233http://www.vupen.com/english/advisories/2010/0236http://www.yassl.com/news.html#yassl199http://www.yassl.com/release.htmlhttp://yassl.cvs.sourceforge.net/viewvc/yassl/yassl/taocrypt/src/asn.cpp?r1=1.13&r2=1.14https://bugzilla.redhat.com/show_bug.cgi?id=555313https://exchange.xforce.ibmcloud.com/vulnerabilities/55416http://archives.neohapsis.com/archives/dailydave/2010-q1/0002.htmlhttp://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1http://bugs.mysql.com/bug.php?id=50227http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.htmlhttp://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.htmlhttp://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.htmlhttp://intevydis.com/mysql_demo.htmlhttp://intevydis.com/mysql_overflow1.py.txthttp://intevydis.com/vd-list.shtmlhttp://isc.sans.org/diary.html?storyid=7900http://lists.immunitysec.com/pipermail/dailydave/2010-January/006020.htmlhttp://lists.mysql.com/commits/96697http://secunia.com/advisories/37493http://secunia.com/advisories/38344http://secunia.com/advisories/38364http://secunia.com/advisories/38517http://secunia.com/advisories/38573http://securitytracker.com/id?1023402http://securitytracker.com/id?1023513http://ubuntu.com/usn/usn-897-1http://www.debian.org/security/2010/dsa-1997http://www.intevydis.com/blog/?p=106http://www.intevydis.com/blog/?p=57http://www.metasploit.com/modules/exploit/linux/mysql/mysql_yassl_getnamehttp://www.osvdb.org/61956http://www.securityfocus.com/bid/37640http://www.securityfocus.com/bid/37943http://www.securityfocus.com/bid/37974http://www.ubuntu.com/usn/USN-1397-1http://www.vupen.com/english/advisories/2010/0233http://www.vupen.com/english/advisories/2010/0236http://www.yassl.com/news.html#yassl199http://www.yassl.com/release.htmlhttp://yassl.cvs.sourceforge.net/viewvc/yassl/yassl/taocrypt/src/asn.cpp?r1=1.13&r2=1.14https://bugzilla.redhat.com/show_bug.cgi?id=555313https://exchange.xforce.ibmcloud.com/vulnerabilities/55416
2009-12-30
Published