CVE-2004-0628

Vulnerability

A stack-based buffer overflow exists in MySQL 4.1.x prior to 4.1.3 and in MySQL 5.0. The vulnerability occurs during the authentication handshake when the server processes an overly long "scramble" string generated by the my_rnd() function [1][2]. An attacker can exploit this by sending a crafted authentication packet that includes a long scramble value, leading to a buffer overflow on the stack [1].

Exploitation

An unauthenticated remote attacker can send a specially crafted authentication packet to the MySQL server (typically listening on TCP port 3306) [2]. By setting the client capabilities flag 0x8000 and controlling the passwd_len field, the attacker can trigger the overflow [1]. No prior authentication or user interaction is required [2].

Impact

Successful exploitation results in a denial of service (server crash) and may allow arbitrary code execution with the privileges of the MySQL process [1][2]. The attacker can potentially bypass authentication entirely or execute arbitrary code, gaining full control over the database server [1].

Mitigation

MySQL version 4.1.3 (Beta) and version 5.0 (Alpha) contain fixes for this vulnerability [1][2]. Users should upgrade to these or later versions. As a workaround, restrict access to the MySQL service (port 3306/tcp) from untrusted networks [2]. No known KEV listing exists.