Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script

["Larry W. Cashdollar" <larry0 () me com>]

Hello Matthias,

That chmod 640 might be interesting if applied to /etc/shadow.  It could allow some users to read the password hashes.

On 2/5/20, 7:46 AM, "Matthias Gerstner" <mgerstner () suse de> wrote:

    Hello list,
    
    in the course of a review of the mariadb packaging in the SUSE Linux
    distribution I discovered that a SUSE specific helper script
    "mysql-systemd-helper" unsafely operates with root privileges in
    the /var/lib/mysql directory [1].
    
    During initial package installation and during upgrade scenarios the
    file /var/lib/mysql/mysql_upgrade_info is created/overwritten and
    modified using the following shell commands:
    
    ```
    echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info
    chmod 640 "$datadir/mysql_upgrade_info"
    ```
    
    Since the unprivileged mysql user owns the parent directory it can
    remove this file and replace it with a symlink to write/overwrite in
    privileged file systems locations. This could mostly be used for
    denial-of-service purposes, a full privilege escalation should not be
    easily achieved by this vulnerability, since the file content cannot be
    controlled by a potential attacker.
    
    Future SUSE mariadb packages will keep this file in a safe location in
    /var/lib/misc. Older, still supported packages will be fixed soon.
    
    Cheers
    
    Matthias
    
    References
    ----------
    
    [1]: https://bugzilla.suse.com/show_bug.cgi?id=1160895
    
    -- 
    Matthias Gerstner <matthias.gerstner () suse de>
    Dipl.-Wirtsch.-Inf. (FH), Security Engineer
    https://www.suse.com/security
    Phone: +49 911 740 53 290
    GPG Key ID: 0x14C405C971923553
    
    SUSE Software Solutions Germany GmbH
    HRB 36809, AG Nürnberg
    Geschäftsführer: Felix Imendörffer