mSQL overflow and poor hostname authentication checks

Summary
Description:mSQL has several buffer overflows which allow intruders to remotely execute arbitrary code. msql2d and msqld are specific vulnerable programs. Also, mSQL doesn't do a forward lookup after resolving an IP->hostname, so it is trivial to spoof authentication by having your DNS return the hostname of an actual host.
Author:"Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:run arbitrary commands remotely. Spoof access to an mSQL server.
Vulnerable Systems:Those running the mSQL server software, msqld or msql2d. Version 2.0 is vulnerable, probably earlier versions.
Date:27 July 1997
Notes:
Details


Date: Sun, 27 Jul 1997 19:13:23 -0600
From: "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: mSQL vulnerabilities

X-Premail-Auth: Good signature from user "Secure Networks Inc.
   <sni@secnet.com>".

                     ######    ##   ##    ######
                     ##        ###  ##      ##
                     ######    ## # ##      ##
                         ##    ##  ###      ##
                     ###### .  ##   ## .  ######.

                         Secure Networks Inc.

                          Security Advisory
                            July 27, 1997

                      mSQL Server Vulnerabilities


This advisory describes a set of vulnerabilities which enable
attackers to obtain unauthorized access to systems running mSQL
database servers.


Problem Description
~~~~~~~~~~~~~~~~~~~

The mSQL server software, msqld or msql2d, performs no length checking on
many of thestrings it manipulates.  By creating a query which contains a
string longer than the mSQL server is prepared to deal with, an attacker
can overwrite the stack, and cause the mSQL server to execute arbitrary
code.

A second vulnerability exists due to the fact that the mSQL server does
not perform a forward DNS lookup on the results of reverse DNS lookups,
allowing users able to spoof hostnames to access the mSQL server.


Technical Details
~~~~~~~~~~~~~~~~~

An example of the buffer overflows is present in the openTable function
located in the table.c file:

int openTable(table,db)
     char     *table;
     char     *db;
{
     char     path[MAXPATHLEN];

     (void)sprintf(path,"%s/msqldb/%s/%s.dat",msqlHomeDir,db,table);
     ...


In this example, the openTable function takes the table name, and
attempts to copy it, into a buffer of finite size on the stack.
The problem occurs due to the fact that the mSQL server defines
MAXPATHLEN itself, rather than obtaining it from sys/param.h, the
operating system header file.  In this case, the value of MAXPATHLEN
is 160.

In addition to the above buffer overflows, the username/hostname
based access control mechanism in the msql daemon does not protect
against an attacker with control of a DNS server:

               hp = (struct hostent *)gethostbyaddr(
                    (char *)&conArray[newSock].remote.sin_addr,
                    sizeof(conArray[newSock].remote.sin_addr),
                    AF_INET);

Becasuse msql2d does not do a forward lookup on the name provided by
the reverse lookup and verify that the addresses match, an attacker with
control of a DNS server can simply specify the name of a valid client
host, and obtain access to the mSQL database.


Impact
~~~~~~

Remote individuals can induce the msqld or msql2d to execute arbitrary
commands.  If the msqld or msql2d is run as 'root', then an attacker
can obtain root priviliges.

Remote individuals can bypass the hostname based access control included
in msqld or msql2d.

Vulnerable Systems
~~~~~~~~~~~~~~~~~~

mSQL 2.0.1 and earlier are vulnerable.

To determine the version of msql you are running, use the msqladmin
program to run the msql stats command.  By default, the msqladmin
program can be found in /usr/local/Hughes/bin.  A typical command line
for running the stats command with the msqladmin program would read:

/usr/local/Hughes/bin/msqladmin stats

and would generate output as follows:


Server Statistics
-----------------

Mini SQL Version 2.0 Production Release
Copyright (c) 1993-94 David J. Hughes
Copyright (c) 1995-97 Hughes Technologies Pty Ltd.
All rights reserved.

Config file      : /usr/local/Hughes/msql.conf
Max connections  : 214
Cur connections  : 1
Running as user  : msql

Connection table :
  Sock    Username       Hostname        Database    Connect   Idle   Queries
 +-----+------------+-----------------+------------+---------+------+--------+
 |   6 | davids     | UNIX Sock       | No DB      |  0H  0M |    0 |      1 |
 +-----+------------+-----------------+------------+---------+------+--------+
 ...


An error message will generally indicate that you are not running an mSQL
server.


Fix information
~~~~~~~~~~~~~~~

No official security fix is availible.

Unofficial unified diffs which fix the known the security problems in
mSQL are availible at

ftp://ftp.secnet.com/pub/patches/msql2-patches.tar.gz

This archive contains unified diffs to fix mSQL 2.0-rel and mSQL 2.0.1.

The md5 hash of the fix archive is:
MD5 (msql2-patches.tar.gz) = 4c217760ef4cf1e4a286223e0f6ec589

Additional Information
~~~~~~~~~~~~~~~~~~~~~~

mSQL is a product of Hughes Technologies.  For additional information
about mSQL, please see http://www.hughes.com.au

For more information about Secure Networks, and for past advisories,
please see http://www.secnet.com

If you have any questions, feel free to mail sni@secnet.com.
Our pgp public key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
-----END PGP PUBLIC KEY BLOCK-----

You can subscribe to our security advisory mailing list by sending
mail to majordomo@secnet.com, containing the single line
subscribe sni-advisories

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories


Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: