0

RedHat RHEL 6+; MySQL (latest)

This is strange. I have a working application, it is really a .so plugin for the PAM system on Linux. With my plugin installed, I can login using ssh, the console and a tool called x2go. If I switch out x2go and use xrdp then it throws an exception

# *** glibc detected *** /usr/sbin/xrdp-sesman: free(): invalid pointer: 0x0000000002560718 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x75f4e)[0x7f25a9923f4e]
/lib64/libc.so.6(+0x78cad)[0x7f25a9926cad]
/usr/lib64/mysql/libmysqlclient.so.18(mysql_stmt_close+0x61)    [0x7f259ba6b611]
/usr/local/sbin/myPlugin      /pam_myPlugin.so(_ZN16UserTracking_Lib7MySQLDB7MySQLDB22insertIntomyPluginESt4listINS_11EventRecordESaIS3_EE+0x5dd)[0x7f25a010bedd]
/usr/local/sbin/myPlugin/pam_myPlugin.so(InsertEventRecord+0x498)[0x7f25a0107458]
/usr/local/sbin/myPlugin/pam_myPlugin.so(call_myPlugin+0x6a1)[0x7f25a0106301]
/lib64/libpam.so.0[0x39d8402cee]
/lib64/libpam.so.0(pam_open_session+0x28)[0x39d8407168]
/usr/sbin/xrdp-sesman[0x4077c7]
/usr/sbin/xrdp-sesman[0x404e23]
/usr/sbin/xrdp-sesman[0x40598a]
/usr/sbin/xrdp-sesman[0x403f41]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f25a98ccd5d]
/usr/sbin/xrdp-sesman[0x402d99]
...

The code section involved is:

MYSQL_STMT *sth;
int numBindCols = 5;
std::string dateTmp = MyAppUtilities::MyAppUtilities::UpperCase(item.getDate().c_str());

if (dateTmp.compare("NOW()") == 0) {
    snprintf(insertSQL, 1024,
            "INSERT INTO %s (blah, blah, blah, blah, blah, date) \
                                VALUES(UPPER(?), UPPER(?), UPPER(?), UPPER(?), UPPER(?), NOW())",
            MyApp_Lib::MySQLDB::DBMyAppTableName.c_str());
} else {
    snprintf(insertSQL, 1024,
            "INSERT INTO %s (blah, blah, blah, blah, blah, date) \
                                VALUES(UPPER(?), UPPER(?), UPPER(?), UPPER(?), UPPER(?), ?)",
            MyApp_Lib::MySQLDB::DBMyAppTableName.c_str());

    numBindCols = 6;
}

if ((sth = mysql_stmt_init(&mysql)) == NULL) {
    sprintf(error, "%s: MySQL could not init statement: %s",
            __func__, mysql_stmt_error(sth));
    syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
    throw MyAppUtilities::MyException(error);
}

if (mysql_stmt_prepare(sth, insertSQL,
        strlen(insertSQL)) != 0) {
    sprintf(error, "%s: MySQL could not prepare query: %s",
            __func__, mysql_stmt_error(sth));
    syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
    throw MyAppUtilities::MyException(error);
}

int col = 0;

MYSQL_BIND bind[6];
memset(bind, 0, sizeof (bind));

[... several bind blocks... ]

if (mysql_stmt_bind_param(sth, bind) != 0) {
    sprintf(error, "%s: MySQL could not bind values: %s",
            __func__, mysql_stmt_error(sth));
    syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
    throw MyAppUtilities::MyException(error);
}

if (mysql_stmt_execute(sth) != 0) {
    sprintf(error, "%s: MySQL could not execute: %s",
            __func__, mysql_stmt_error(sth));
    syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
    throw MyAppUtilities::MyException(error);
}

if (mysql_stmt_close(sth) != 0) {
    sprintf(error, "%s: MySQL could not close stmt handle: %s",
            __func__, mysql_stmt_error(sth));
    syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
    throw MyAppUtilities::MyException(error);
}

The sth is created and treated in the same way as the example at: https://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-execute.html I don't see the issue. Ideas?

7 Reeds
  • 2,419
  • 3
  • 32
  • 64
  • That's a lot of code, and it's incomplete (you refer to variables for which you haven't shown definitions). Can you reproduce the problem with simpler code (say, a hard-coded query without bound variables)? – nobody Oct 09 '15 at 02:14

1 Answers1

1

It looks like you are victim of CVE-2017-3302. You need to upgrade your MySQL client at least to version 5.5.55 or 5.6.21 or 5.7.5. Or MariaDB client at least to version 5.5.55 or 10.0.30 or 10.1.22 or 10.2.5.

See: http://www.openwall.com/lists/oss-security/2017/02/11/11

Pali
  • 1,389
  • 12
  • 7