[MDEV-8006] [FG-VD-15-029] MariaDB PCRE Handling Multiple Remote Denial of Service Vulnerabilities Created: 2015-04-17  Updated: 2015-05-05  Resolved: 2015-05-05

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: 10.0.17, 10.1.4
Fix Version/s: 10.0.18, 10.1.5

Type: Bug Priority: Critical
Reporter: secresearch Assignee: Sergei Golubchik
Resolution: Fixed Votes: 1
Labels: None
Environment:

windows 7 x64

Attachments: PNG File MariaDB_DoS_PoC_1_01.png     PNG File MariaDB_DoS_PoC_1_02.png     PNG File MariaDB_DoS_PoC_2.png    
Issue Links:
PartOf
is part of MDEV-8071 10.0.18 merge Closed

 Description   

The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.

Proof of Concept/How to Reproduce:
To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation: 

   	 SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*');

To reproduce the second issue, do the following database operation:

 	   SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+');

It causes the MariaDB Server down. And some screenshots are attached.

Note: The repro of these two issues may be unstable, sometimes you need to try it many times.

Analysis:
The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
http://bugs.exim.org/show_bug.cgi?id=1592
http://bugs.exim.org/show_bug.cgi?id=1591
http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup

Type of Vulnerability & Repercussions:
Remote Denial of Service

Affected Products:
MariaDB 10.0.17
Other versions may be affected too

Testing Platforms:
Windows 7 x64(en)

Upcoming Advisory Reference:
http://www.fortiguard.com/advisory/UpcomingAdvisories.html

Credits:
These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.

 Comments   
Comment by secresearch [ 2015-04-24 ]

Anyone track this issue?

Comment by Daniel Black [ 2015-04-24 ]

Anyone track this issue?

its a critical priority assigned to the next release.

It also shoudn't be much effort to fix.

According to bug fixing policy https://mariadb.com/kb/en/mariadb/mariadb-bug-fixing-policy/ this is still a yellow threat level as it requires an authenticated user. I'm not saying its a perfect policy, but it certainly will be addressed. There are a number of other bugs in the same category.

The next 10.0 and 10.1 releases aren't too far away https://mariadb.atlassian.net/projects/MDEV?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page and the release team will make sure this is included along with any other high importance bug fixes.

Comment by Daniel Black [ 2015-05-01 ]

https://github.com/MariaDB/server/pull/60

thanks for the test case secresearch

Comment by Sergei Golubchik [ 2015-05-05 ]

I've merged pcre 8.37, but this only fixes packages where we build with bundled pcre. Normally we prefer to use system libraries, when possible. So for packages where we link with system pcre, this issue needs to be fixed by distributions. Hopefully it already is.

Generated at Thu Feb 08 07:23:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.