MySQL 'mysqlbug' Temporary File Flaw Lets Local Users Overwrite Files
|
|
SecurityTracker Alert ID: 1009554
|
|
SecurityTracker URL: http://securitytracker.com/id?1009554
|
|
CVE Reference: CAN-2004-0381
(Links to External Site)
|
Updated: Apr 7 2004
|
Original Entry Date: Mar 25 2004
|
Impact: Modification of system information, Modification of user information, Root access via local system, User access via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.0.18 and prior versions
|
Description: A vulnerability was reported in MySQL in the 'mysqlbug' component. A local user can overwrite files on the target system.
Shaun Colley reported that when a user runs 'mysqlbug' and then exits the text editor without modifying the bug report, a temporary
file ('/tmp/failed-mysql-bugreport') is created in an unsafe manner. A local user can create a symbolic link (symlink) from a critical
file on the system to this temporary file. Then, when the error condition is triggered by a target user, the symlinked file will
be overwritten with the privileges of the target user.
A local user may be able to gain elevated privileges on the target system.
|
Impact: A local user can cause files to be overwritten with the privileges of the target user. A local user may be able to gain elevated privileges on the target system.
|
Solution: The vendor has issued a fixed version, which has been committed to the MySQL source repository, available at:
http://www.mysql.com/doc/en/Installing_source_tree.html
The fixed version will reportedly be included in the next full release of MySQL.
|
Vendor URL: www.mysql.com/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Shaun Colley <shaunige@yahoo.co.uk>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 24 Mar 2004 22:16:18 +0000 (GMT)
From: =?iso-8859-1?q?Shaun=20Colley?= <shaunige@yahoo.co.uk>
Subject: mysqlbug tmpfile/symlink vulnerability.
|
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Product: mysqlbug packaged with MySQL.
Versions: All
Bug: Symlink bug / tmpfile bug.
Impact: Attacker's can overwrite arbitrary
files.
Risk: Low/Medium
Date: March 24, 2004
Author: Shaun Colley
Email: shaunige yahoo co uk
WWW: http://www.nettwerked.co.uk
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Introduction
#############
MySQL is an open-source, fast and popular SQL
database, in widespread use across the Internet. As
with many other popular products, a bug report script
is packaged with MySQL, named mysqlbug. This script
is vulnerable to a tmpfile/symlink bug.
Details
########
When mysqlbug is ran, a text editor is launched, and
the user is prompted to write their bug report using a
template to guide them.
The issue presents itself in how the script handles a
user simply exiting the text editor without changing
the bug report. When this happens, the mysqlbug
script does the following:
--
if cmp -s $TEMP $TEMP.x
then
echo "File not changed, no bug report submitted."
cp $TEMP /tmp/failed-mysql-bugreport
echo "The raw bug report exists in
/tmp/failed-mysql-bugreport"
echo "If you use this remember that the first lines
of the report now
is a lie
.."
exit 1
fi
--
As can be seen, a tmpfile isn't attempted to be
created
securely, just a quick 'cp' to an unchecked file
(/tmp/failed-mysql-bugreport), potentially allowing an
attacker to overwrite arbitrary files if a symlink
already exists with this name
(/tmp/failed-mysql-bugreport).
This could be bad if a root user had invoked mysqlbug,
and then decided that they wanted to gather more info
on their potential bug, so exited the text editor (and
meanwhile the attacker had symlinked
/tmp/failed-mysql-bugreport to /etc/nologin or
otherwise).
Successful exploitation of the symlink bug would allow
an attacker to overwrite arbitrary files with the
privileges of the user invoking 'mysqlbug'.
It should be noted that this vulnerability can ONLY be
exploited if the user exits the text editor invoked by
mysqlbug before editing the content.
Exploitation
#############
All that is required to exploit the issue is to create
a symlink from /tmp/failed-mysql-bugreport to an
arbitrary file. An example attack is presented below:
--
attacker$ ls -al /nologin
ls: /etc/nologin: No such file or directory
attacker$ ln -s /etc/nologin
/tmp/failed-mysql-bugreport
[...]
root# mysqlbug
[root decides to exit the text editor that mysqlbug
started, because he
wants to get more info on his discovered bug]
attacker$ ls -al /nologin
-rw-r--r-- 1 root root 0 Mar 24
16:50 /etc/nologin
---
Solution
#########
The bug has been fixed, and the patched mysqlbug
script has been committed into the MySQL source
repository. The latest available version, including
the bugfix can be built -
<http://www.mysql.com/doc/en/Installing_source_tree.html>
The fixed script will also be incorporated into the
next full release of MySQL, if you do not wish to
access the source repository immediately for a
less-critical security issue.
Credit
#######
Issue discovered by Shaun Colley / shaun2k2 -
<shaunige yahoo co uk>.
Thanks to the MySQL team for responding and fixing the
bug within 2 hours, despite the bug being a
non-critial issue and other things taking priority.
Thank you for your time.
Shaun.
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
|
|
