SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
MySQL 'mysql_install_db' Uses Unsafe Temporary Files and May Let Local Users Gain Elevated Privilege
SecurityTracker Alert ID:  1013995
SecurityTracker URL:  http://securitytracker.com/id/1013995
CVE Reference:   CVE-2005-1636   (Links to External Site)
Updated:  Oct 5 2005
Original Entry Date:  May 18 2005
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.1.12; 5.0 - 5.0.4
Description:   Eric Romang (ZATAZ) reported a vulnerability in MySQL. A local user can modify the database during database installation.

The software uses an unsafe temporary file '/tmp/mysql_install_db.$$' during database creation. A local user can inject commands to create database accounts with elevated privileges.

The vendor was notified on May 9, 2005.

The original advisory is available at:

http://www.zataz.net/adviso/mysql-05172005.txt

Impact:   A local user can create database accounts with elevated privileges in certain cases.
Solution:   The vendor has released a fixed version (4.1.12), available at:

http://dev.mysql.com/downloads/

The specific Bitkeeper reference for this bug is available at:

http://mysql.bkbits.net:8080/mysql-4.1/cset@1.2250?nav=index.html|ChangeSet@-1d

Red Hat has issued a fix for Red Hat Enterprise Linux 4:

https://rhn.redhat.com/errata/RHSA-2005-685.html

Vendor URL:  www.mysql.com/products/mysql/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 5 2005 (Red Hat Issues Fix) MySQL 'mysql_install_db' Uses Unsafe Temporary Files and May Let Local Users Gain Elevated Privilege
Red Hat has released a fix for Red Hat Enterprise Linux 4.



 Source Message Contents

Subject:  MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling



--Apple-Mail-1-580636551
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no

#########################################################

MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.

For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all  
databases;

##########
versions:
##########

MySQL < 4.0.12
MySQL <= 5.0.4

##########
Solution:
##########

For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.

#########
timeline:
#########

discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix :  2005-05-17
disclosure : 2005-05-17

#####################
Technical details :
#####################

tmp_file=/tmp/mysql_install_db.$$

Then on :

  226     echo "use mysql;" > $tmp_file
  227     cat $tmp_file $fill_help_tables | eval  
"$mysqld_install_cmd_line"
  228     res=$?
  229     rm $tmp_file

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC