FreeBSD : mysql -- mysql_real_connect buffer overflow vulnerability (835256b8-46ed-11d9-8ce0-00065be4b5b6)

This script is Copyright (C) 2005-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The mysql_real_connect function doesn't properly handle DNS replies by
copying the IP address into a buffer without any length checking. A
specially crafted DNS reply may therefore be used to cause a buffer
overflow on affected systems.

Note that whether this issue can be exploitable depends on the system
library responsible for the gethostbyname function. The bug finder,
Lukasz Wojtow, explaines this with the following words :

In glibc there is a limitation for an IP address to have only 4 bytes
(obviously), but generally speaking the length of the address comes
with a response for dns query (i know it sounds funny but read rfc1035
if you don't believe). This bug can occur on libraries where
gethostbyname function takes length from dns's response

See also :

http://bugs.mysql.com/bug.php?id=4017
http://lists.mysql.com/internals/14726
http://rhn.redhat.com/errata/RHSA-2004-611.html
http://www.nessus.org/u?777347ea
http://www.nessus.org/u?234ad91f

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 19009 (freebsd_pkg_835256b846ed11d98ce000065be4b5b6.nasl)

Bugtraq ID: 10981

CVE ID: CVE-2004-0836

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now