SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Database)  >  MySQL Vendors:  MySQL.com
MySQL World-Writable Configuration File May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1007312
CVE Reference:  CAN-2003-0150   (Links to External Site)
Date:  Jul 28 2003
Impact:  Root access via local system, User access via local system
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 3.23.55 and prior versions
Description:  An access control vulnerability was reported in MySQL. A local user may be able to gain root privileges on the system.

It is reported that a local user can use a "SELECT * INTO OUTFILE" statement to overwrite a world-writable 'datadir/my.cnf' file with the following contents:

[mysqld]
user=root

The report indicats that the MySQL server will invoke the 'my.cnf' file in the data directory, if it exists, rather than the '/etc/my.cnf' file. So, when the mysqld daemon is subsequently started, it will be started with root privileges instead of the privileges of the default mysql user. The local user may be able to invoke MySQL to gain root privileges.
Impact:  A local user can cause the MySQL daemon to start with root privileges instead of the normal MySQL user privileges. This may allow the local user to gain root privileges or mysql user privileges on the system.
Solution:  The vendor has released a fixed version (3.23.56), available at:

http://www.mysql.com/downloads/index.html
Vendor URL:  www.mysql.com/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "bugsman@libero.it" <bugsman@libero.it>
Message History:   None.

 Source Message Contents
Date:  Sat, 8 Mar 2003 12:58:37 +0100
From:  "bugsman@libero.it" <bugsman@libero.it>
Subject:  =?iso-8859-1?Q?MySQL_user_can_be_changed_to_root?=

 

Hi. I tried this on my own MySQL 3.23.55 !!!
I found out that logging as the root user, we can change mysqld to run as root instead that i.e. mysq
l but this works only if there's
 just one my.cnf file and it is locate in /etc...
Here's how I did it...

I logged in as root and than I did this:

mysql>CREATE DATABASE roottext;
mysql>USE roottext;
mysql>CREATE TABLE hack (conf VARCHAR(80));
mysql>INSERT IN hack VALUES ('[mysqld]');
mysql>INSERT IN hack VALUES ('user=root');
mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
mysql>QUIT

Doing so we have create a my.cnf in mysql datadir containing:

[mysqld]
user=root

Now, when the mysql server will be restarted, the user option in our datadit my.cnf will override the
 one in /etc/my.cnf and mysql
 server will run as root, with all the security flwas that it takes...
This is very dangerous if we think that in mysql <= 3.23.53 it is really easy to get root access d
ue to a bug (an exploit has been
 released publicly)...
I dunno how this problem can be solved, I'd like to hear from you something...
Thanks.... :)
by
Gufino


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC