CVE-2009-4484

MySQL - yaSSL CertDecoder::GetName Buffer Overflow

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Múltiples desbordamientos de búfer en la región stack de la memoria en la función CertDecoder::GetName en el archivo src/asn.cpp en TaoCrypt en yaSSL anterior a versión 1.9.9, tal como es usado en mysqld en MySQL versiones 5.0.x anteriores a 5.0.90, MySQL versiones 5.1.x anteriores a 5.1.43, MySQL versiones 5.5.x hasta 5.5.0-m2, y otros productos, permiten a los atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria y bloqueo de demonio) mediante el establecimiento de una conexión SSL y enviando un certificado de cliente X.509 con un campo de nombre especialmente diseñado, como es demostrado por mysql_overflow1.py y el módulo vd_mysql5 en VulnDisco Pack Professional versión 8.11. NOTA: esto se informó originalmente para MySQL versión 5.0.51a.

*Credits: N/A

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-12-30 CVE Reserved
2009-12-30 CVE Published
2010-04-30 First Exploit
2024-08-07 CVE Updated
2024-09-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (37)

URL	Tag	Source
http://archives.neohapsis.com/archives/dailydave/2010-q1/0002.html	Broken Link
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1	Broken Link
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html	Broken Link
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html	Broken Link
http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html	Broken Link
http://intevydis.com/mysql_demo.html	Broken Link
http://intevydis.com/mysql_overflow1.py.txt	Broken Link
http://intevydis.com/vd-list.shtml	Broken Link
http://isc.sans.org/diary.html?storyid=7900	Third Party Advisory
http://lists.immunitysec.com/pipermail/dailydave/2010-January/006020.html	Broken Link
http://secunia.com/advisories/37493	Third Party Advisory
http://secunia.com/advisories/38344	Third Party Advisory
http://secunia.com/advisories/38364	Third Party Advisory
http://secunia.com/advisories/38517	Third Party Advisory
http://secunia.com/advisories/38573	Third Party Advisory
http://securitytracker.com/id?1023402	Third Party Advisory
http://securitytracker.com/id?1023513	Third Party Advisory
http://www.intevydis.com/blog/?p=106	Broken Link
http://www.intevydis.com/blog/?p=57	Broken Link
http://www.metasploit.com/modules/exploit/linux/mysql/mysql_yassl_getname	Third Party Advisory
http://www.osvdb.org/61956	Broken Link
http://www.securityfocus.com/bid/37640	Third Party Advisory
http://www.securityfocus.com/bid/37943	Third Party Advisory
http://www.securityfocus.com/bid/37974	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0233	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0236	Third Party Advisory
http://www.yassl.com/news.html#yassl199	Broken Link
http://www.yassl.com/release.html	Broken Link
http://yassl.cvs.sourceforge.net/viewvc/yassl/yassl/taocrypt/src/asn.cpp?r1=1.13&r2=1.14	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=555313	Issue Tracking
https://exchange.xforce.ibmcloud.com/vulnerabilities/55416	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/16850	2010-04-30
http://bugs.mysql.com/bug.php?id=50227	2024-08-07

URL	Date	SRC
http://lists.mysql.com/commits/96697	2023-02-14

URL	Date	SRC
http://ubuntu.com/usn/usn-897-1	2023-02-14
http://www.debian.org/security/2010/dsa-1997	2023-02-14
http://www.ubuntu.com/usn/USN-1397-1	2023-02-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 5.0.0 < 5.0.90 Search vendor "Oracle" for product "Mysql" and version " >= 5.0.0 < 5.0.90"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 5.1.0 < 5.1.43 Search vendor "Oracle" for product "Mysql" and version " >= 5.1.0 < 5.1.43"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				5.0.0 Search vendor "Oracle" for product "Mysql" and version "5.0.0"		milestone1		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				5.0.0 Search vendor "Oracle" for product "Mysql" and version "5.0.0"		milestone2		Affected
Wolfssl Search vendor "Wolfssl"		Yassl Search vendor "Wolfssl" for product "Yassl"				< 1.9.9 Search vendor "Wolfssl" for product "Yassl" and version " < 1.9.9"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				6.06 Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				9.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				9.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				10.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "10.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				10.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "10.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				11.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "11.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				11.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "11.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				6.0 Search vendor "Debian" for product "Debian Linux" and version "6.0"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 5.1 < 5.1.42 Search vendor "Mariadb" for product "Mariadb" and version " >= 5.1 < 5.1.42"		-		Affected