{"vuid":"VU#602457","idnumber":"602457","name":"MySQL fails to properly validate COM_TABLE_DUMP packets","keywords":["MySQL","buffer overflow","arbitrary code execution","COM_TABLE_DUMP"],"overview":"MySQL contains a buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code on a vulnerable server.","clean_desc":"MySQL and COM_TABLE_DUMP MySQL is an open-source database system available for Microsoft Windows, Linux, and other UNIX-based operating systems. Command packets are sent to the MySQL server to issue instructions to that server. One such command packet type is COM_TABLE_DUMP, which the MySQL Internals Manual describes as: COM_TABLE_DUMP (used by slave server to get master table)\nThe Problem MySQL fails to properly validate user-controlled parameters within COM_TABLE_DUMP packets. If an attacker sends a series of specially crafted COM_TABLE_DUMP packets to a vulnerable MySQL server, that attacker may be able to cause a buffer overflow. Considerations Some level of authentication is needed to exploit this vulnerability. Exploit code for this vulnerability is publicly available","impact":"A remote, authenticated attacker may be able to execute arbitrary code on a MySQL server.","resolution":"Upgrade\nThis issue is corrected in MySQL versions  4.0.27, 4.1.19, 5.0.21, and 5.1.10. Refer to the MySQL downloads page to get the appropriate updated version.","workarounds":"Disable anonymous access to MySQL Although disabling anonymous access to MySQL does not prevent attacks from occurring, it does prevent unauthenticated users from attempting to exploit the vulnerability.","sysaffected":"","thanks":"This vulnerability was reported by Stefano Di Paola.","author":"This document was written by Jeff Gennari.","public":["http://secunia.com/advisories/19929/","http://dev.mysql.com/doc/refman/4.1/en/news-4-0-27.html","http://dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html","http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html","http://dev.mysql.com/doc/refman/5.1/en/news-5-1-10.html","http://downloads.mysql.com/docs/internals-en.pdf"],"cveids":["CVE-2006-1518"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-05-04T14:23:43Z","publicdate":"2006-05-02T00:00:00Z","datefirstpublished":"2006-05-05T14:47:51Z","dateupdated":"2006-05-17T12:24:30Z","revision":40,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"20","cam_exploitation":"4","cam_internetinfrastructure":"5","cam_population":"14","cam_impact":"20","cam_easeofexploitation":"9","cam_attackeraccessrequired":"9","cam_scorecurrent":"12.33225","cam_scorecurrentwidelyknown":"12.33225","cam_scorecurrentwidelyknownexploited":"19.13625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.33225,"vulnote":null}