MySQL Security
Sandu Mihai (mike@COM.PCNET.RO)
Sun, 29 Mar 1998 11:16:22 +0300
When you use a certain mysql configuration it is possible to create
files on the system as root with rw-rw-rw.
Many MySQL users have included user root from localhost without password
in their config.
So. If on such a system you issue :
mysql -u root test
you not only will have access to the database but you'll be able to
create a file on the system with the root
ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE statement.
The file you wish to create must NOT EXIST. Otherwise mysql will give
you a "file already exists" error.
To be more precise. MySQL will create the file specified as OUTFILE
with rw-rw-rw and with the current
user as owner.
The exploit is as follows:
mysql -u root test
CREATE TABLE ll ( a CHAR(10) );
INSERT INTO aa (a) VALUES ("+ +");
SELECT * FROM aa INTO OUTFILE "/root/.rhosts";
The above exploit works for sites with rexec,rsh enabled (ssh is too
smart and won't let you in
if you have .rhosts 666, the same for authorized_keys)
Well . I've tryied to be tricky by setting umask to 077 in the hope
that I can trick MySQL in
makeing the file 600 , childish try, I know but... who knows ?
If someone could fool MySQL into makeing the file 600 then this is
quite a serious threat..
All my best,
Sandu Mihai
p.s. The above works for Mysql Ver 6.5 Distrib 3.20.29 as reported by
mysql -V Have phun.. :)