Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access
SecurityTracker Alert ID: 1001132|
SecurityTracker URL: http://securitytracker.com/id/1001132
(Links to External Site)
Date: Mar 21 2001
Denial of service via local system, Modification of user information, User access via local system|
It is reported that any local MySQL user can exploit MySQL to write files on the server with the privileges assigned to the MySQL server (which may be root-level privileges in some cases). This can be used to gain additional access on the server.|
One of the vendors writes to explain that the vulnerable version (3.20) is a very old version of MySQL and that the supported version is 3.23.x. The vendor also notes that 3.23.1 (which was released more than a year ago) and the rest of the 3.23 branch does not contain this vulnerability.
An authorized local user can use MySQL to write files to the server in a denial of service attempt or in an attempt to obtain additional privileges. If the MySQL daemon is run as root, then the user can obtain root-level privileges.|
The vendor notes that this vulnerability was corrected over a year ago. Version 3.23.x does not contain this bug.|
Vendor URL: mysql.com (Links to External Site)
Input validation error, State error|
Linux (Any), UNIX (FreeBSD), UNIX (Solaris - SunOS), Windows (NT), Windows (95), Windows (98), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Tue, 20 Mar 2001 11:18:26 +0100|
Subject: Re: potential vulnerability of mysqld running with root privileges
On Mar 18, Pavlov, Lesha wrote:
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :
> Vulnerable versions:
> This DoS/exploit tested on mysql-3.20.32a but i see another versions of
> mysql also vulnerabile.
3.20 is not simply outdated - it's VERY old.
Official supported is 3.23 branch now.
3.23.1 was releases more than a year ago.
And 3.23 doesn't has that bug.
> * Patch mysql to treat database names, started by '..' as incorrect
> database names.
3.23 does it.
> not yet
Why, there are for several years !
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <firstname.lastname@example.org>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany