ID CVE-2006-1518
Summary Buffer overflow in the open_table function in sql_base.cc in MySQL 5.0.x up to 5.0.20 might allow remote attackers to execute arbitrary code via crafted COM_TABLE_DUMP packets with invalid length values.
References
Vulnerable Configurations
  • MySQL 5.0
    cpe:2.3:a:mysql:mysql:5.0
  • MySQL MySQL 5.0.0 alpha
    cpe:2.3:a:mysql:mysql:5.0.0:alpha
  • MySQL MySQL 5.0.0.0
    cpe:2.3:a:mysql:mysql:5.0.0.0
  • MySQL MySQL 5.0.1
    cpe:2.3:a:mysql:mysql:5.0.1
  • MySQL MySQL 5.0.2
    cpe:2.3:a:mysql:mysql:5.0.2
  • MySQL MySQL 5.0.3
    cpe:2.3:a:mysql:mysql:5.0.3
  • MySQL MySQL 5.0.3 Beta
    cpe:2.3:a:mysql:mysql:5.0.3:beta
  • MySQL MySQL 5.0.4
    cpe:2.3:a:mysql:mysql:5.0.4
  • MySQL MySQL 5.0.5
    cpe:2.3:a:mysql:mysql:5.0.5
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.7
    cpe:2.3:a:mysql:mysql:5.0.7
  • MySQL MySQL 5.0.8
    cpe:2.3:a:mysql:mysql:5.0.8
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.14
    cpe:2.3:a:mysql:mysql:5.0.14
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
  • MySQL MySQL 5.0.19
    cpe:2.3:a:mysql:mysql:5.0.19
  • MySQL MySQL 5.0.20
    cpe:2.3:a:mysql:mysql:5.0.20
CVSS
Base: 6.5 (as of 05-05-2006 - 15:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit. CVE-2006-1518. Remote exploit for linux platform
id EDB-ID:1741
last seen 2016-01-31
modified 2006-05-02
published 2006-05-02
reporter Stefano Di Paola
source https://www.exploit-db.com/download/1741/
title MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MYSQL-1312.NASL
    description Attackers could read portions of memory by using a user name with trailing null byte or via COM_TABLE_DUMP command (CVE-2006-1516, CVE-2006-1517). Attackers could execute arbitrary code by causing a buffer overflow via specially crafted COM_TABLE_DUMP packets (CVE-2006-1518).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27356
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27356
    title openSUSE 10 Security Update : mysql (mysql-1312)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-306-1.NASL
    description MySQL did not correctly handle NULL as the second argument to the str_to_date() function. An authenticated user could exploit this to crash the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 27881
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27881
    title Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-306-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A8D8713EDC8311DAA22B000C6EC775D9.NASL
    description Stefano Di Paola reports : An authenticated user could remotely execute arbitrary commands by taking advantage of a stack overflow. To take advantage of these flaws an attacker should have direct access to MySQL server communication layer (port 3306 or unix socket). But if used in conjuction with some web application flaws (i.e. php code injection) an attacker could use socket programming (i.e. php sockets) to gain access to that layer.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 21492
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21492
    title FreeBSD : mysql50-server -- COM_TABLE_DUMP arbitrary code execution (a8d8713e-dc83-11da-a22b-000c6ec775d9)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4913886CE87511DAB9F400123FFE8333.NASL
    description Secunia reports : MySQL have some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system. 1) An error within the code that generates an error response to an invalid COM_TABLE_DUMP packet can be exploited by an authenticated client to disclosure certain memory content of the server process. 2) A boundary error within the handling of specially crafted invalid COM_TABLE_DUMP packets can be exploited by an authenticated client to cause a buffer overflow and allows arbitrary code execution. 3) An error within the handling of malformed login packets can be exploited to disclosure certain memory content of the server process in the error messages.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 21633
    published 2006-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21633
    title FreeBSD : MySQL -- Information Disclosure and Buffer Overflow Vulnerabilities (4913886c-e875-11da-b9f4-00123ffe8333)
  • NASL family Databases
    NASL id MYSQL_5_0_21.NASL
    description The version of MySQL installed on the remote host is earlier than 4.0.27 / 4.1.19 / 5.0.21. As such, it is potentially affected by the following vulnerabilities : - A remote attacker may be able to read portions of memory by sending a specially crafted login packet in which the username does not have a trailing NULL. (CVE-2006-1516) - A remote attacker may be able to read portions of memory by sending a specially crafted COM_TABLE_DUMP request with an incorrect packet length. (CVE-2006-1517) - A buffer overflow in the 'open_table()' function could allow a remote, authenticated attacker to execute arbitrary code via specially crafted COM_TABLE_DUMP packets. (CVE-2006-1518)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17697
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17697
    title MySQL < 4.0.27 / 4.1.19 / 5.0.21 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1079.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22621
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22621
    title Debian DSA-1079-1 : mysql-dfsg - several vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-129-02.NASL
    description New mysql packages are available for Slackware 10.2 and -current to fix security issues. The MySQL package shipped with Slackware 10.2 may possibly leak sensitive information found in uninitialized memory to authenticated users. The MySQL package previously in Slackware -current also suffered from these flaws, but an additional overflow could allow arbitrary code execution. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default.
    last seen 2019-02-21
    modified 2013-06-01
    plugin id 21345
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21345
    title Slackware 10.2 / current : mysql (SSA:2006-129-02)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1073.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22615
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22615
    title Debian DSA-1073-1 : mysql-dfsg-4.1 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1071.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22613
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22613
    title Debian DSA-1071-1 : mysql - several vulnerabilities
refmap via4
bid 17780
bugtraq 20060502 MySQL COM_TABLE_DUMP Information Leakage and Arbitrary commandexecution.
cert-vn VU#602457
confirm
debian
  • DSA-1071
  • DSA-1073
  • DSA-1079
misc http://www.wisec.it/vulns.php?page=8
sectrack 1016016
secunia
  • 19929
  • 20241
  • 20253
  • 20333
  • 20457
  • 20762
sreason 839
suse
  • SUSE-SA:2006:036
  • SUSE-SR:2006:012
vupen ADV-2006-1633
xf mysql-comtabledump-bo(26232)
Last major update 07-03-2011 - 21:33
Published 05-05-2006 - 08:46
Last modified 18-10-2018 - 12:33
Back to Top