MySQL Security

Sandu Mihai (mike@COM.PCNET.RO)
Sun, 29 Mar 1998 11:16:22 +0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "Re: MySQL Security"
Previous message: Aleph One: "Rhino9: WinGate Vulnerability"
Next in thread: Aleph One: "Re: MySQL Security"

When you use a certain mysql configuration it is possible to create
files on the system as root with rw-rw-rw.
Many MySQL users have included user root from localhost without password
in their config.
So. If on such a system you issue :
mysql -u root test
you not only will have access to the database but you'll be able to
create a file on the system with the root
ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE statement.
The file you wish to create must NOT EXIST. Otherwise mysql will give
you a "file already exists" error.
To be more precise. MySQL will create the file specified as OUTFILE
with rw-rw-rw and with the current
user as owner.
The exploit is as follows:
mysql -u root test
CREATE TABLE ll ( a CHAR(10) );
INSERT INTO aa (a) VALUES ("+ +");
SELECT * FROM aa INTO OUTFILE "/root/.rhosts";
The above exploit works for sites with rexec,rsh enabled (ssh is too
smart and won't let you in
if you have .rhosts 666, the same for authorized_keys)
Well . I've tryied to be tricky by setting umask to 077 in the hope
that I can trick MySQL in
makeing the file 600 , childish try, I know but... who knows ?
If someone could fool MySQL into makeing the file 600 then this is
quite a serious threat..

All my best,
Sandu Mihai

p.s. The above works for Mysql Ver 6.5 Distrib 3.20.29 as reported by
mysql -V Have phun.. :)

Next message: Aleph One: "Re: MySQL Security"
Previous message: Aleph One: "Rhino9: WinGate Vulnerability"
Next in thread: Aleph One: "Re: MySQL Security"