Sri Lankan Security researcher Osanda Malith discovered a DoS -or crash- vulnerability in MySQL’s Procedure Analyse Function. The vulnerability crashes MySQL versions up to 5.5.45.
Osanda Malith found this crash in the function procedure
analyse() while passing a sub query. It’s syntax:
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);
So an example POC would be:
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> mysql> select 1; ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061) ERROR: Can't connect to the server mysql>
On Windows, this crashes
mysql.exe and an administrator needs to restart the MySQL service. In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server. In *nix systems
mysqld will automatically recover but still if we keep on sending multiple GET requests with this payload the database will crash.
Osanda Malith writes:
If you came across a website vulnerable to SQL injection you can simply perform a DoS attack so that MySQL server will not respond and the entire database of the website would be down meaning the website will be no longer in an active state.
In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server.
This sounds like a very nasty side-affect of SQL injection vulnerability. In August 2014 I wrote about MySQL sleep() attacks being carried out in the wild. Here an attacker injects
sleep(3) into a vulnerable web application, making
mysqld sleep for the given amount of time, for every record found -depending on where the sleep() is injected of course. That was a Denial of Service attack on the whole MySQL server, quickly consuming all available connections.
This crash/DoS vulnerability however, requires only one request for MySQL on Windows Server, to crash mysql.exe, and a continuous stream of requests for Linux/Unix operating systems because the mysqld service will automatically recover.
Read the full details in Osanda Malith’s blog post.