Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
CVE-2021-2429: A Heap-based Buffer Overflow Bug in the MySQL InnoDB memcached Plugin
Lucas Leong - ZDI Posted 4 Years Ago- The bug is in the memcached GET command of the MySQL plugin. The command supports multiple key-value pairs in a single query.
- When using the GET command with the form
@@containers.namethen a few operations happen. First, thetable_nameis copied into a buffer. Before doing this operation, a validation is done to ensure that there is enough space. This is where the mistake is at. - An
assertdoes the validation. Since assert is a macro that produces code only in debug builds but not in release builds, this leads to a buffer overflow that can be reached when running a release build. Boom! - The overflow and the values in the overflow are completely controllable by an attacker. A trigger for this can be seen below:
get @@aaa @@aaa @@aaa .... - Each
@@aaais replaced with the table name during this operation. This bug is likely exploitable by itself but would require a memory leak in order to exploit. The patch simply removes the assert clauses and adds legit code to validate the size prior to the copy. - Validating bugs properly but messing up the error handling is not terribly uncommon. For instance, Boothole did the same thing. In the future, validating the error handling and the usage of asserts in C code is something I'm going to be looking for in the future!
