Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Matt Moore (matt_at_westpoint.ltd.uk)
Date: Wed Oct 02 2002 - 10:47:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Westpoint Security Advisory

    Title: MySQL Locally Exploitable Buffer Overflow
    Risk Rating: Medium
    Software: mySQL Database v3.23.49-nt
    Platforms: Win32 (other platforms not tested)
    Vendor URL: www.mysql.com
    Author: Matt Moore <mattwestpoint.ltd.uk>
    Date: 1st October 2002
    Advisory ID#: wp-02-0003
    CVE# CAN-2002-0969

    The Win32 version of MySQL has a locally exploitable buffer overflow
    condition which could allow an attacker to execute code in the context
    of the SYSTEM account if MySQL is running as an NT Service (which is the


    MySQL reads a configuration file,'my.ini' from from either c:\my.ini or
    c:\WINNT\my.ini . The default ACL's for c:\my.ini allow the 'Everyone'
    Full Control.The ACL's for c:\winnt are slightly more restrictive, but do
    allow members of the 'Power Users' NT Group write access.

    By supplying an overly long string for the 'datadir' parameter in
    my.ini, it is
    possible to overflow a buffer in mysqld-nt.exe, overwriting EIP, and
    hence executing
    arbitrary code in the context of the SYSTEM account.


    Change the entry for 'datadir' from:




    and restart the mySQl service or reboot the machine.

    Vendor Response:

    Fixed in the 3.23.50 release of MySQL and MySQL 4.0.2

    Patch Information:

    Upgrade to the latest version from www.mysql.com

    This advisory is available online at: