Re: System Hacked from MySQL Insecurities

[q q <systemcracker () gmail com>]

even if that had worked, wouldn't it require shell access to the box anyway?

There was a vulnerability in mySQL which allowed users to read any
file that user: mysql had access to, using this, one may be able to go
on to crack passwords.

How did you discover that the actual box was rooted, rather than just mySQL?


On Sat, 8 Jan 2005 20:13:33 +0700 (WIT), Kalpin Erlangga Silaen
<kalpin () solonet co id> wrote:
> Exactly,
>
> actually I have try as you explained. After I read MySQL manual, i try
> those step:
>
> 1. mysq -u root -p (via shell with user level)
> 2. I got mysql prompt, mysql> (and of course using root access to mysql)
> 3. I use test as database
> 4. I created table shell (name of table is shell) contains:
>   #!/bin/sh
>   cp /bin/sh /tmp/.shell.mysql
>   chmod 4755 /tmp/.shell.mysql
>   rm -f /tmp/.shell.sh
> 5. I use : SELECT * FROM shell ... INTO OUTFILE /tmp/.shell.sh
> 6. I am quit from mysql prompt
> 7. While I list that file : ls -las /tmp/.shell.sh
> 8. the permissions is 664 with owner is mysql and group is mysql
>    rw-rw-r       /tmp/.shell.sh
> 9. I tried to execute: sh /tmp/.shell.sh and yes successfull create suid
> file /tmp/.shell.mysql but owned by my userid not mysql nor root :-)
>
> My Questions is how can he r00ted my box ? local exploit in FreeBSD 5.1
> ??? or use vulnerable to mysql ???
>
> This confused me.
>
> > Shawn,
> >
> >     I think the question here is if his machine could get rooted
> > THROUGH hacking MYSQL.  Sure if the machine root and MYSQL root
> > passwords are the same then your machine could be compromised but NOT
> > through MYSQL.  If the hacker has your MYSQL root password then he can
> > mess with MYSQL and only MYSQL.
> >
> > ~ed
> >
> >
> > --------------------------------------------------------
> > Edmund Gorski
> > Application Systems Analyst
> > Strategic Planning & ITS
> > City of Tampa
> > e: Ed.Gorski () tampagov net
> > p: 813-274-8488
> > --------------------------------------------------------
> >
> > > > > Shawn Wall <sjwall () shaw ca> 1/6/2005 1:20:19 PM >>>
> > MySql installs with a default root password or no password. If you did
> > not
> > change it then it would be trivial to 'hack'.
> >
> > shawn
> >
> > -----Original Message-----
> > From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id]
> > Sent: Wednesday, January 05, 2005 7:03 PM
> > To: security-basics () lists securityfocus com
> > Subject: System Hacked from MySQL Insecurities
> >
> > Dear all,
> >
> > several days ago, someone hacked my test box using the latest FreeBSD.
> >
> > He explained that he rooted my box because he knows my root mysql
> > password.
> > Is it possible to hack system via MySQL ? or he just tricked me and try
> > hide
> > his way ? I am using MySQL 4.0.18 for FreeBSD.
> > My details system:
> >
> > OS: FreeBSD 5.1
> > MySQL version: 4.0.18
> > Port : 3306
> >
> > I opened port 3306 from Internet, so people can use this if they have
> > access/username to MySQL.
> >
> > Thank you.
> >
> > --
> > ---
> > Kalpin Erlangga Silaen
> > mailto: kalpin () solonet co id
> > URL: http://www.warningnews.com
> > YM: kalpinus
> > MSN: kalpinus
> > IRC: mesra.dal.net nick Kalpin


-- 
Computing tools, PHP code, online tools and more at http://www.puremango.co.uk