Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8006

[FG-VD-15-029] MariaDB PCRE Handling Multiple Remote Denial of Service Vulnerabilities

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 10.0.17, 10.1.4
    • Fix Version/s: 10.0.18, 10.1.5
    • Component/s: OTHER
    • Labels:
      None
    • Environment:
      windows 7 x64

      Description

      The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.

      Proof of Concept/How to Reproduce:
      To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation:

         	 SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*');
      

      To reproduce the second issue, do the following database operation:

       	   SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+');
      

      It causes the MariaDB Server down. And some screenshots are attached.

      Note: The repro of these two issues may be unstable, sometimes you need to try it many times.

      Analysis:
      The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
      http://bugs.exim.org/show_bug.cgi?id=1592
      http://bugs.exim.org/show_bug.cgi?id=1591
      http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup

      Type of Vulnerability & Repercussions:
      Remote Denial of Service

      Affected Products:
      MariaDB 10.0.17
      Other versions may be affected too

      Testing Platforms:
      Windows 7 x64(en)

      Upcoming Advisory Reference:
      http://www.fortiguard.com/advisory/UpcomingAdvisories.html

      Credits:
      These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                secresearch secresearch
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: