ID CVE-2006-3469
Summary Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.
References
Vulnerable Configurations
  • MySQL MySQL 4.1.6
    cpe:2.3:a:mysql:mysql:4.1.6
  • MySQL MySQL 4.1.7
    cpe:2.3:a:mysql:mysql:4.1.7
  • MySQL MySQL 4.1.8
    cpe:2.3:a:mysql:mysql:4.1.8
  • MySQL MySQL 4.1.8a
    cpe:2.3:a:mysql:mysql:4.1.8a
  • MySQL MySQL 4.1.9
    cpe:2.3:a:mysql:mysql:4.1.9
  • MySQL MySQL 4.1.11
    cpe:2.3:a:mysql:mysql:4.1.11
  • MySQL MySQL 4.1.12
    cpe:2.3:a:mysql:mysql:4.1.12
  • MySQL MySQL 4.1.12a
    cpe:2.3:a:mysql:mysql:4.1.12a
  • MySQL MySQL 4.1.13
    cpe:2.3:a:mysql:mysql:4.1.13
  • MySQL MySQL 4.1.13a
    cpe:2.3:a:mysql:mysql:4.1.13a
  • MySQL MySQL 4.1.14
    cpe:2.3:a:mysql:mysql:4.1.14
  • MySQL MySQL 4.1.14a
    cpe:2.3:a:mysql:mysql:4.1.14a
  • MySQL MySQL 4.1.15
    cpe:2.3:a:mysql:mysql:4.1.15
  • MySQL MySQL 4.1.15a
    cpe:2.3:a:mysql:mysql:4.1.15a
  • MySQL MySQL 4.1.16
    cpe:2.3:a:mysql:mysql:4.1.16
  • MySQL MySQL 4.1.18
    cpe:2.3:a:mysql:mysql:4.1.18
  • MySQL MySQL 4.1.19
    cpe:2.3:a:mysql:mysql:4.1.19
  • MySQL MySQL 4.1.20
    cpe:2.3:a:mysql:mysql:4.1.20
  • MySQL MySQL 5.0.1a
    cpe:2.3:a:mysql:mysql:5.0.1a
  • MySQL MySQL 5.0.3a
    cpe:2.3:a:mysql:mysql:5.0.3a
  • MySQL MySQL 5.0.4a
    cpe:2.3:a:mysql:mysql:5.0.4a
  • cpe:2.3:a:mysql:mysql:5.0.5.0.21
    cpe:2.3:a:mysql:mysql:5.0.5.0.21
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.10a
    cpe:2.3:a:mysql:mysql:5.0.10a
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.15a
    cpe:2.3:a:mysql:mysql:5.0.15a
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.16a
    cpe:2.3:a:mysql:mysql:5.0.16a
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.17a
    cpe:2.3:a:mysql:mysql:5.0.17a
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
  • MySQL MySQL 5.0.19
    cpe:2.3:a:mysql:mysql:5.0.19
CVSS
Base: 4.0 (as of 21-07-2006 - 10:58)
Impact:
Exploitability:
CWE CWE-134
CAPEC
  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
description MySQL 4.x/5.x Server Date_Format Denial Of Service Vulnerability. CVE-2006-3469. Dos exploit for linux platform
id EDB-ID:28234
last seen 2016-02-03
modified 2006-07-18
published 2006-07-18
reporter Christian Hammers
source https://www.exploit-db.com/download/28234/
title MySQL 4.x/5.x Server Date_Format Denial of Service Vulnerability
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_4_9.NASL
    description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 24811
    published 2007-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24811
    title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1112.NASL
    description Several local vulnerabilities have been discovered in the MySQL database server, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3081 'Kanatoko' discovered that the server can be crashed with feeding NULL values to the str_to_date() function. - CVE-2006-3469 Jean-David Maillefer discovered that the server can be crashed with specially crafted date_format() function calls.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22654
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22654
    title Debian DSA-1112-1 : mysql-dfsg-4.1 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0768.NASL
    description Updated mysql packages that fix various security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-3469) As well, these updated packages fix the following bugs : * in the previous mysql packages, if a column name was referenced more than once in an 'ORDER BY' section of a query, a segmentation fault occurred. * when MySQL failed to start, the init script returned a successful (0) exit code. When using the Red Hat Cluster Suite, this may have caused cluster services to report a successful start, even when MySQL failed to start. In these updated packages, the init script returns the correct exit codes, which resolves this issue. * it was possible to use the mysqld_safe command to specify invalid port numbers (higher than 65536), causing invalid ports to be created, and, in some cases, a 'port number definition: unsigned short' error. In these updated packages, when an invalid port number is specified, the default port number is used. * when setting 'myisam_repair_threads > 1', any repair set the index cardinality to '1', regardless of the table size. * the MySQL init script no longer runs 'chmod -R' on the entire database directory tree during every startup. * when running 'mysqldump' with the MySQL 4.0 compatibility mode option, '--compatible=mysql40', mysqldump created dumps that omitted the 'auto_increment' field. As well, the MySQL init script now uses more reliable methods for determining parameters, such as the data directory location. Note: these updated packages upgrade MySQL to version 4.1.22. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html All mysql users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33585
    published 2008-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33585
    title RHEL 4 : mysql (RHSA-2008:0768)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-211-01.NASL
    description New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL's news article about the MySQL 4.1.21 Community Edition release here: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 24656
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24656
    title Slackware 10.2 : mysql (SSA:2006-211-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-321-1.NASL
    description Jean-David Maillefer discovered a format string bug in the date_format() function's error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 27899
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27899
    title Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-321-1)
  • NASL family Databases
    NASL id MYSQL_4_1_21.NASL
    description The version of MySQL installed on the remote host is earlier than 4.1.21 / 5.0 and reportedly allows a remote, authenticated user to crash the server via a format string attack.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17800
    published 2012-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17800
    title MySQL < 4.1.21 / 5.0 Denial of Service
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080724_MYSQL_ON_SL4_X.NASL
    description MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-3469) As well, these updated packages fix the following bugs : - in the previous mysql packages, if a column name was referenced more than once in an 'ORDER BY' section of a query, a segmentation fault occurred. - when MySQL failed to start, the init script returned a successful (0) exit code. When using the Red Hat Cluster Suite, this may have caused cluster services to report a successful start, even when MySQL failed to start. In these updated packages, the init script returns the correct exit codes, which resolves this issue. - it was possible to use the mysqld_safe command to specify invalid port numbers (higher than 65536), causing invalid ports to be created, and, in some cases, a 'port number definition: unsigned short' error. In these updated packages, when an invalid port number is specified, the default port number is used. - when setting 'myisam_repair_threads > 1', any repair set the index cardinality to '1', regardless of the table size. - the MySQL init script no longer runs 'chmod -R' on the entire database directory tree during every startup. - when running 'mysqldump' with the MySQL 4.0 compatibility mode option, '--compatible=mysql40', mysqldump created dumps that omitted the 'auto_increment' field. As well, the MySQL init script now uses more reliable methods for determining parameters, such as the data directory location. Note: these updated packages upgrade MySQL to version 4.1.22. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60451
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60451
    title Scientific Linux Security Update : mysql on SL4.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_FCB90EB02ACE11DBA6E2000E0C2E438A.NASL
    description Jean-David Maillefer reports a Denial of Service vulnerability within MySQL. The vulnerability is caused by improper checking of the data_format routine, which cause the MySQL server to crash. The crash is triggered by the following code:'SELECT date_format('%d%s', 1);
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 22213
    published 2006-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22213
    title FreeBSD : mysql -- format string vulnerability (fcb90eb0-2ace-11db-a6e2-000e0c2e438a)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-09 (MySQL: Denial of Service) Jean-David Maillefer discovered a format string vulnerability in time.cc where MySQL fails to properly handle specially formatted user input to the date_format function. Impact : By specifying a format string as the first parameter to the date_format function, an authenticated attacker could cause MySQL to crash, resulting in a Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22167
    published 2006-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22167
    title GLSA-200608-09 : MySQL: Denial of Service
oval via4
accepted 2013-04-29T04:22:35.064-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.
family unix
id oval:org.mitre.oval:def:9827
status accepted
submitted 2010-07-09T03:56:16-04:00
title Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.
version 23
redhat via4
advisories
rhsa
id RHSA-2008:0768
rpms
  • mysql-0:4.1.22-2.el4
  • mysql-bench-0:4.1.22-2.el4
  • mysql-devel-0:4.1.22-2.el4
  • mysql-server-0:4.1.22-2.el4
refmap via4
apple APPLE-SA-2007-03-13
bid 19032
cert TA07-072A
confirm
debian DSA-1112
gentoo GLSA-200608-09
misc
secunia
  • 21147
  • 21366
  • 24479
  • 31226
ubuntu USN-321-1
vupen ADV-2007-0930
statements via4
contributor Mark J Cox
lastmodified 2008-07-25
organization Red Hat
statement This issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0768.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1, 3, or 5, and Red Hat Application Stack v1 and v2.
Last major update 07-03-2011 - 00:00
Published 21-07-2006 - 10:03
Last modified 10-10-2017 - 21:31
Back to Top