CVE-2009-4484

MySQL 5.0.0-5.0.89 - Remote Code Execution via X.509 Certificate Name Field Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4484. PoCs published by Metasploit, jduck, including Metasploit module exploits/linux/mysql/mysql_yassl_getname.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in yaSSL (1.9.8 and earlier) bundled with MySQL, triggered by a specially crafted client certificate. It achieves remote code execution by overwriting the stack and leveraging a JmpEsp address.

Description

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16850

This exploit targets a stack buffer overflow in yaSSL (1.9.8 and earlier) bundled with MySQL, triggered by a specially crafted client certificate. It achieves remote code execution by overwriting the stack and leveraging a JmpEsp address.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MySQL with yaSSL (1.9.8 and earlier)
Auth required
Prerequisites: Network access to MySQL server with SSL enabled · Host-based authentication bypass · Non-default SSL configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by jduck · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/mysql/mysql_yassl_getname.rb

This Metasploit module exploits a stack buffer overflow in yaSSL (1.9.8 and earlier) bundled with MySQL by sending a crafted client certificate to execute arbitrary code. It targets a vulnerability in the CertDecoder::GetName function, requiring specific non-default configurations.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MySQL with yaSSL (1.9.8 and earlier)
Auth required
Prerequisites: Host-based authentication bypass · Server configured to listen on accessible interface · Manual SSL configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (36)

Core 36
Core References
Broken Link x_refsource_misc
http://intevydis.com/mysql_overflow1.py.txt
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38573
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1397-1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37493
Broken Link x_refsource_confirm
http://www.yassl.com/release.html
Broken Link x_refsource_confirm
http://www.yassl.com/news.html#yassl199
Broken Link x_refsource_misc
http://www.intevydis.com/blog/?p=106
Broken Link x_refsource_misc
http://intevydis.com/mysql_demo.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38364
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38517
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37974
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023513
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://ubuntu.com/usn/usn-897-1
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0236
Broken Link mailing-list x_refsource_mlist
http://archives.neohapsis.com/archives/dailydave/2010-q1/0002.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=555313
Exploit, Issue Tracking, Vendor Advisory x_refsource_confirm
http://bugs.mysql.com/bug.php?id=50227
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37640
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/55416
Broken Link x_refsource_misc
http://www.intevydis.com/blog/?p=57
Third Party Advisory x_refsource_misc
http://isc.sans.org/diary.html?storyid=7900
Patch, Vendor Advisory mailing-list x_refsource_mlist
http://lists.mysql.com/commits/96697
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023402
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/61956
Broken Link x_refsource_misc
http://intevydis.com/vd-list.shtml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38344
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37943
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0233
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-1997

Scores

EPSS 0.6955
EPSS Percentile 99.3%

Details

CWE
CWE-787
Status published
Products (16)
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 8.04
canonical/ubuntu_linux 8.10
canonical/ubuntu_linux 9.04
canonical/ubuntu_linux 9.10
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 10.10
canonical/ubuntu_linux 11.04
canonical/ubuntu_linux 11.10
debian/debian_linux 4.0
... and 6 more
Published Dec 30, 2009
Tracked Since Feb 18, 2026