COMMAND

	MySQL local buffer overflow via .ini file

SYSTEMS AFFECTED

	mySQL Database v3.23.49-nt

PROBLEM

	In Matt Moore [matt@westpoint.ltd.uk] advisory [ID#:wp-02-0003] :
	

	MySQL reads a configuration file,'my.ini' from from either c:\my.ini  or
	c:\WINNT\my.ini . The default ACL's for c:\my.ini allow  the  'Everyone'
	group  Full  Control.The  ACL's   for   c:\winnt   are   slightly   more
	restrictive, but do allow members of the 'Power Users'  NT  Group  write
	access.
	

	By supplying an overly  long  string  for  the  'datadir'  parameter  in
	my.ini,  it  is  possible  to  overflow  a  buffer   in   mysqld-nt.exe,
	overwriting EIP, and hence executing arbitrary code in  the  context  of
	the SYSTEM account.
	

	E.g.
	

	Change the entry for 'datadir' from:
	

	datadir=C:/mysql/data

	

	to:
	

	datadir=C:/AAAAAA...AAAA

	

	and restart the mySQl service or reboot the machine.

SOLUTION

	Fixed in the 3.23.50 release of MySQL and MySQL 4.0.2
	

	This advisory is available online at:
	

	http://www.westpoint.ltd.uk/advisories/wp-02-0003.txt