Sri Lankan Security researcher Osanda Malith discovered a DoS -or crash- vulnerability in MySQL’s Procedure Analyse Function. The vulnerability crashes MySQL versions up to 5.5.45.
Osanda Malith found this crash in the function procedure
analyse() while passing a sub query. It’s syntax:
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);
So an example POC would be:
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> mysql> select 1; ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061) ERROR: Can't connect to the server mysql>
On Windows, this crashes
mysql.exe and an administrator needs to restart the MySQL service. In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server. In *nix systems
mysqld will automatically recover but still if we keep on sending multiple GET requests with this payload the database will crash.
Osanda Malith writes:
If you came across a website vulnerable to SQL injection you can simply perform a DoS attack so that MySQL server will not respond and the entire database of the website would be down meaning the website will be no longer in an active state.
In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server.
This sounds like a very nasty side-affect of SQL injection vulnerability. In August 2014 I wrote about MySQL sleep() attacks being carried out in the wild. Here an attacker injects
sleep(3) into a vulnerable web application, making
mysqld sleep for the given amount of time, for every record found -depending on where the sleep() is injected of course. That was a Denial of Service attack on the whole MySQL server, quickly consuming all available connections.
This crash/DoS vulnerability however, requires only one request for MySQL on Windows Server, to crash mysql.exe, and a continuous stream of requests for Linux/Unix operating systems because the mysqld service will automatically recover.
Read the full details in Osanda Malith’s blog post.
If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.
BIND 9.x vulnerable for remote Denial of Service through a magic packet
MySQL sleep() attacks
A cheat-sheet for password crackers
Windows privilege escalation guide
Help Net Security reviewed Acunetix 11
Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege