In July, Oracle released a Critical Patch Update for multiple products including Oracle Database and MySQL, which included, among others, patches for two serious vulnerabilities discovered by Trustwave SpiderLabs. Below, I will examine the technical details of these vulnerabilities.
The first vulnerability affects the latest Oracle Database version which is 12.1.0.2 and allows unauthenticated users to probe user accounts. That is anyone with a network connection to the database can confirm whether a given user exists in the database. This is made possible by differing server responses to login attempts for existing and non-existing user accounts. This is the network capture of a login attempt via sqlplus for a legitimate user:
36 31 38 00 00 00 00 0D-00 00 00 0D 41 55 54 48 618.........AUTH5F 56 46 52 5F 44 41 54-41 20 00 00 00 20 43 46 _VFR_DATA.....CF32 46 39 44 34 46 32 35-30 32 41 31 35 44 39 36 2F9D4F2502A15D9642 37 36 39 35 34 43 38-35 44 43 43 30 33 15 48 B76954C85DCC03.H
As you can see the token length is 16 bytes (32 characters).
Now let's append a character to the username and retry authentication:
30 37 45 00 00 00 00 0D-00 00 00 0D 41 55 54 48 07E.........AUTH5F 56 46 52 5F 44 41 54-41 14 00 00 00 14 42 45 _VFR_DATA.....BE32 30 34 39 42 32 36 31-31 33 37 41 30 42 36 41 2049B261137A0B6A39 31 25 1B 00 00 14 00-00 00 14 41 55 54 48 5F 91%........AUTH_
For a non-existent account, the length of the AUTH_VFR_DATA token is shorter – only 10 bytes (20 characters). That response tells us whether an account exists on the system or not.
Note that sqlplus should be version 12.1.0.2 or newer in order to support the latest authentication protocol version.
This vulnerability allows attackers to run arbitrary code on some platforms because it is a classic stack-based buffer overflow. It can also be used to cause a denial of service.
Any authenticated user with CREATE TABLE privileges can exploit this vulnerability. This happens because there is no length check on one of the parameters to add_keyword_path function and the parameter is later copied to a stack-allocated buffer.
Here is proof-of-concept code:
CREATE TABLE test.t1 (id INTEGER) PARTITION BY HASH(id) PARTITIONS 1 (PARTITION p1 DATA DIRECTORY = '<600 character string>');Affected MySQL versions are 5.6.24 and earlier. Here is a quote from the release notes:
Partitioning: When creating a partitioned table, partition-level
DATA DIRECTORYorINDEX DIRECTORYoption values that contained an excessive number of characters were handled incorrectly. (Bug #20809045)
You will find the related commit in MySQL Server code here: https://github.com/mysql/mysql-server/commit/85d0ef869796ac370ee18b547682c923d16ef022
As we can see Oracle added a length validation step to exit when the path length is more or equal to 512 bytes and replaced the strcpy call with strncpy.