Bugtraq mailing list archives
mysql: MySQL Security
From: monty () ANALYTIK ANALYTIKERNA SE (Michael Widenius)
Date: Sun, 29 Mar 1998 15:52:41 +0200
"Sandu" == Sandu Mihai <mike () com pcnet ro> writes:
Sandu> When you use a certain mysql configuration it is possible to create Sandu> files on the system as root with rw-rw-rw. Sandu> Many MySQL users have included user root from localhost without password Sandu> in their config. Sandu> So. If on such a system you issue : Sandu> mysql -u root test Sandu> you not only will have access to the database but you'll be able to Sandu> create a file on the system with the root Sandu> ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE statement. Sandu> The file you wish to create must NOT EXIST. Otherwise mysql will give Sandu> you a "file already exists" error. Sandu> To be more precise. MySQL will create the file specified as OUTFILE Sandu> with rw-rw-rw and with the current Sandu> user as owner. Sandu> The exploit is as follows: Sandu> mysql -u root test Sandu> CREATE TABLE ll ( a CHAR(10) ); Sandu> INSERT INTO aa (a) VALUES ("+ +"); Sandu> SELECT * FROM aa INTO OUTFILE "/root/.rhosts"; Sandu> The above exploit works for sites with rexec,rsh enabled (ssh is too Sandu> smart and won't let you in Sandu> if you have .rhosts 666, the same for authorized_keys) Sandu> Well . I've tryied to be tricky by setting umask to 077 in the hope Sandu> that I can trick MySQL in Sandu> makeing the file 600 , childish try, I know but... who knows ? Sandu> If someone could fool MySQL into makeing the file 600 then this is Sandu> quite a serious threat.. The file is always created with 0666, by the following code: sql_class.cc:167: if ((file=my_create(path, 0666, O_WRONLY, MYF(MY_WME))) < 0) Normally one should never run mysqld as root and one should always set a password for the MySQL root user. We shall add a security section to the manual! Yours, Monty
Current thread:
- Majordomo /tmp exploit, (continued)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
- Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
- easy DoS in most RPC apps Peter van Dijk (Mar 28)
- Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
- Hole. HKirk (Mar 28)
- Rhino9: WinGate Vulnerability Aleph One (Mar 29)
- MySQL Security Sandu Mihai (Mar 29)
- Re: MySQL Security Aleph One (Mar 29)
- Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
- mysql: MySQL Security Michael Widenius (Mar 29)
- wtmpx utility for solaris Ryan (Mar 30)
- Re: wtmpx utility for solaris Mikael Brandstrom (Mar 31)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- HPSBUX9803-077 Security Vulnerability with inetd on HP-UX Aleph One (Mar 30)