[6414] in bugtraq
mysql: MySQL Security
daemon@ATHENA.MIT.EDU (Michael Widenius)
Sun Mar 29 12:47:11 1998
Date: Sun, 29 Mar 1998 15:52:41 +0200
Reply-To: monty@analytikerna.se
From: Michael Widenius <monty@ANALYTIK.ANALYTIKERNA.SE>
X-To: Sandu Mihai <mike@com.pcnet.ro>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <351E0356.CDEFC80C@com.pcnet.ro>
>>>>> "Sandu" == Sandu Mihai <mike@com.pcnet.ro> writes:
Sandu> When you use a certain mysql configuration it is possible to create
Sandu> files on the system as root with rw-rw-rw.
Sandu> Many MySQL users have included user root from localhost without password
Sandu> in their config.
Sandu> So. If on such a system you issue :
Sandu> mysql -u root test
Sandu> you not only will have access to the database but you'll be able to
Sandu> create a file on the system with the root
Sandu> ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE statement.
Sandu> The file you wish to create must NOT EXIST. Otherwise mysql will give
Sandu> you a "file already exists" error.
Sandu> To be more precise. MySQL will create the file specified as OUTFILE
Sandu> with rw-rw-rw and with the current
Sandu> user as owner.
Sandu> The exploit is as follows:
Sandu> mysql -u root test
Sandu> CREATE TABLE ll ( a CHAR(10) );
Sandu> INSERT INTO aa (a) VALUES ("+ +");
Sandu> SELECT * FROM aa INTO OUTFILE "/root/.rhosts";
Sandu> The above exploit works for sites with rexec,rsh enabled (ssh is too
Sandu> smart and won't let you in
Sandu> if you have .rhosts 666, the same for authorized_keys)
Sandu> Well . I've tryied to be tricky by setting umask to 077 in the hope
Sandu> that I can trick MySQL in
Sandu> makeing the file 600 , childish try, I know but... who knows ?
Sandu> If someone could fool MySQL into makeing the file 600 then this is
Sandu> quite a serious threat..
The file is always created with 0666, by the following code:
sql_class.cc:167: if ((file=my_create(path, 0666, O_WRONLY, MYF(MY_WME))) < 0)
Normally one should never run mysqld as root and one should always
set a password for the MySQL root user.
We shall add a security section to the manual!
Yours,
Monty
