Possible SQL Injection attack on Murmur server

It crashed, it is bugged, ...

Possible SQL Injection attack on Murmur server

Postby Morgaul » Tue May 22, 2018 4:13 pm

Mumble server 1.2.19 for Linux murmur-static_x86-1.2.19.tar.bz2 working on Ubuntu 16.04 LTS x64.
Logging to log file on disk.
Suddenly crashes twice for 2 minutes.
Log file before crash:
<W>2018-05-22 18:50:37.179 2 => <22:(-1)> Client version 1.2.4 (iOS: Mumble for iOS 1003001001)
<F>2018-05-22 18:50:37.185 SQL Error [INSERT INTO `slog` (`server_id`, `msg`) VALUES(?,?)]: Incorrect string value: '\xF0\x9F\xA5\x9E(-...' for column 'msg' at row 1 QMYSQL3: Unable to execute statement
<W>2018-05-22 18:50:56.833 Initializing settings from /etc/murmur.ini (basepath /etc)

Does it SQL injection attack? :shock:
Morgaul
 
Posts: 1
Joined: Tue May 22, 2018 4:06 pm

Re: Possible SQL Injection attack on Murmur server

Postby kissaki » Wed May 23, 2018 9:34 pm

Well, we can't say for sure from this. I guess someone tried to. That doesn't mean he managed to sql inject though.
But a crash indicates a different issue, at some point of string handling of the message.
I guess you don't know the person that did this and could provide more information?

/e:
Oh, I see you're using MySQL as the server backend database.
Note that while we try to keep it usable, we don't officially support that.

On IRC fwaggle suggested that this may be due to a misconfigured character set in MySQL.
MumPI: Your Mumble Web Interface in PHP
User avatar
kissaki
Team member
Team member
 
Posts: 1294
Joined: Sat Jan 09, 2010 12:15 pm

Re: Possible SQL Injection attack on Murmur server

Postby fwaggle » Fri May 25, 2018 1:00 pm

Yeah, there's no SQLi attack here - MySQL is just failing to marshal the UTF-8 string (in case you're wondering, it's a stack of pancakes) into the table. Murmur 1.2.19 on sqlite handles that username just fine (though for some reason even with a completely permissive channel name, it doesn't like creating a channel out of pancackes - it doesn't crash, it just refuses to create the channel).

Murmur should be using UTF-8 internally, so likely your MySQL tables (at least the log, but presumably the rest also) are set up to something different. Checking the table character set is fairly easy in phpMyAdmin, it's non-trivial via the command line client.

You might be able to fix the tables using something like ALTER TABLE tablename CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; - that might also trash your database, so take backups before you do it and all that.

If Murmur generated those tables for you, it's arguably a bug that it didn't do them with the correct character set, but considering that MySQL support isn't official I'm not sure how quickly it'd get fixed. :(
Full disclosure: I used to run a commercial Mumble host, and my opinions do not reflect the opinions of the Mumble project.
Avatar is stolen from here
User avatar
fwaggle
Team member
Team member
 
Posts: 222
Joined: Tue Oct 06, 2009 10:40 pm
Location: Australia


Return to Technical

Who is online

Users browsing this forum: No registered users and 5 guests

cron