Check Point Reference: | CPAI-2005-209 |
Date Published: | 26 Oct 2009 |
Severity: | High |
Last Updated: | Monday 26 October, 2009 |
Source: | |
Industry Reference: | CVE-2005-0710 |
Protection Provided by: |
Security Gateway |
Who is Vulnerable? | |
Vulnerability Description | MySQL is an open-source implementation of a relational database management system supporting the SQL (Structured Query Language) database query language. MySQL allows users to create user-defined functions (UDF) through the CREATE FUNCTION command. A vulnerability exists in the user-defined function (UDF) implementation in MySQL due to insufficient policy enforcement. A remote authenticated user with INSERT privileges on the MySQL administrative database can exploit this vulnerability to bypass UDF library path restrictions. This may allow an attacker to execute arbitrary code, with the privileges of mysqld, by calling functions in arbitrary shared libraries. The target MySQL server continues its normal functionality without error even after a successfull attack, yet once the server is restarted, the injected malicious UDFs are loaded and ready for execution. The behaviour of the target system will be dependent on the intent of the code. If the crafted SQL statements are successfully executed but the required shared library files are not on the target system, the MySQL server will output error messages when it fails to load the non-existent shared library files when starting. Any SQL command calling the malicious UDFs will get a syntax error. In practice, the attacker may force the target MySQL to restart in order to load the injected UDFs, this will close other user connections established to the target. |
This protection will detect and block attempts to exploit this vulnerability
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: MySQL Protection Violation.
Attack Information: MySQL CREATE FUNCTION table arbitrary library injection