Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Does anybody know of any resources better explaining CVE-2005-0709 than
that found at:
If not can anybody explain how it works?

Re: CVE-2005-0709

Quoted text here. Click to load it

The canonical location of CVE's is at

You'll find many links to many different explanations there.

Basically, what it appears to be is a privilege escalation
vulnerability.  If a given mysql user has the ability to insert or
delete records on an administrative database, they can cleverly, by
leveraging the create function command, escalate their privileges to
run any function that's in libc.

This reference shows how that vulnerability is used to pop a shell
back to an attacker with privs of the mysql user:

This vulnerability has been patched.  If you're coming at this from a
mysql administrator standpoint, apply the patch and go about your

Best Regards,
Todd H. /

Re: CVE-2005-0709

Cheers for that, in the explanation given at neohapsis, it all makes
sense until the SELECT 'function name' bits at the end where each is
provided with 49ish parameters (all zeros). Arent they expecting just a
couple of arguments to satify the pointers strcat, on_exit are
expecting and just an int for exit:

char *strcat(char *dest, const char *src);
int on_exit(void (*function)(int , void *), void *arg);
void exit(int status);

Supposing we have created strcat, on_exit and exit into MySql DBMS,
mysql> select on_exit(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
mysql> select strcat(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
*************************** 1. row ***************************
        0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0): 1
1 row in set (0.00 sec)
mysql> select exit();

Re: CVE-2005-0709

Quoted text here. Click to load it

I haven't looked at the exploit code in depth, but it's not uncommon
for a vulnerability to be one of a buffer overflow variety where data
unlike anything the developers would ever expect overflows and input
buffer and then allows an attacker to write to memory, redirect the
processor's instruction pointer into that memory, and voila, the
attacker can execute commands beyond the process's intended privilege

Todd H. /

Site Timeline