SecurityTracker: MySQL World-Writable Configuration File May Let Local Users Gain Root Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Database) > MySQL

Vendors: MySQL.com

MySQL World-Writable Configuration File May Let Local Users Gain Root Privileges

SecurityTracker Alert ID: 1007312

SecurityTracker URL: http://securitytracker.com/id/1007312

CVE Reference: CAN-2003-0150 (Links to External Site)

Date: Jul 28 2003

Impact: Root access via local system, User access via local system

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Version(s): 3.23.55 and prior versions

Description: An access control vulnerability was reported in MySQL. A local user may be able to gain root privileges on the system.

It is reported that a local user can use a "SELECT * INTO OUTFILE" statement to overwrite a world-writable 'datadir/my.cnf' file with the following contents:

[mysqld]
user=root

The report indicats that the MySQL server will invoke the 'my.cnf' file in the data directory, if it exists, rather than the '/etc/my.cnf' file. So, when the mysqld daemon is subsequently started, it will be started with root privileges instead of the privileges of the default mysql user. The local user may be able to invoke MySQL to gain root privileges.

Impact: A local user can cause the MySQL daemon to start with root privileges instead of the normal MySQL user privileges. This may allow the local user to gain root privileges or mysql user privileges on the system.

Solution: The vendor has released a fixed version (3.23.56), available at:

http://www.mysql.com/downloads/index.html

Vendor URL: www.mysql.com/ (Links to External Site)

Cause: Access control error, State error

Underlying OS: Linux (Any), UNIX (Any)

Message History: None.

Source Message Contents

Date: Sat, 8 Mar 2003 12:58:37 +0100
Subject: =?iso-8859-1?Q?MySQL_user_can_be_changed_to_root?=


Hi. I tried this on my own MySQL 3.23.55 !!!
I found out that logging as the root user, we can change mysqld to run as root instead that i.e. mysql but this works only if there's
 just one my.cnf file and it is locate in /etc...
Here's how I did it...

I logged in as root and than I did this:

mysql>CREATE DATABASE roottext;
mysql>USE roottext;
mysql>CREATE TABLE hack (conf VARCHAR(80));
mysql>INSERT IN hack VALUES ('[mysqld]');
mysql>INSERT IN hack VALUES ('user=root');
mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
mysql>QUIT

Doing so we have create a my.cnf in mysql datadir containing:

[mysqld]
user=root

Now, when the mysql server will be restarted, the user option in our datadit my.cnf will override the one in /etc/my.cnf and mysql
 server will run as root, with all the security flwas that it takes...
This is very dangerous if we think that in mysql <= 3.23.53 it is really easy to get root access due to a bug (an exploit has been
 released publicly)...
I dunno how this problem can be solved, I'd like to hear from you something...
Thanks.... :)
by
Gufino

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC