Security Basics mailing list archives

RE: System Hacked from MySQL Insecurities

From: "Kalpin Erlangga Silaen" <kalpin () solonet co id>
Date: Sat, 8 Jan 2005 20:13:33 +0700 (WIT)

Exactly,

actually I have try as you explained. After I read MySQL manual, i try
those step:

1. mysq -u root -p (via shell with user level)
2. I got mysql prompt, mysql> (and of course using root access to mysql)
3. I use test as database
4. I created table shell (name of table is shell) contains:
   #!/bin/sh
   cp /bin/sh /tmp/.shell.mysql
   chmod 4755 /tmp/.shell.mysql
   rm -f /tmp/.shell.sh
5. I use : SELECT * FROM shell ... INTO OUTFILE /tmp/.shell.sh
6. I am quit from mysql prompt
7. While I list that file : ls -las /tmp/.shell.sh
8. the permissions is 664 with owner is mysql and group is mysql
    rw-rw-r       /tmp/.shell.sh
9. I tried to execute: sh /tmp/.shell.sh and yes successfull create suid
file /tmp/.shell.mysql but owned by my userid not mysql nor root :-)

My Questions is how can he r00ted my box ? local exploit in FreeBSD 5.1
??? or use vulnerable to mysql ???

This confused me.

Shawn,

    I think the question here is if his machine could get rooted
THROUGH hacking MYSQL.  Sure if the machine root and MYSQL root
passwords are the same then your machine could be compromised but NOT
through MYSQL.  If the hacker has your MYSQL root password then he can
mess with MYSQL and only MYSQL.

~ed


--------------------------------------------------------
Edmund Gorski
Application Systems Analyst
Strategic Planning & ITS
City of Tampa
e: Ed.Gorski () tampagov net
p: 813-274-8488
--------------------------------------------------------

Shawn Wall <sjwall () shaw ca> 1/6/2005 1:20:19 PM >>>

MySql installs with a default root password or no password. If you did
not
change it then it would be trivial to 'hack'.

shawn

-----Original Message-----
From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id]
Sent: Wednesday, January 05, 2005 7:03 PM
To: security-basics () lists securityfocus com
Subject: System Hacked from MySQL Insecurities

Dear all,

several days ago, someone hacked my test box using the latest FreeBSD.

He explained that he rooted my box because he knows my root mysql
password.
Is it possible to hack system via MySQL ? or he just tricked me and try
hide
his way ? I am using MySQL 4.0.18 for FreeBSD.
My details system:

OS: FreeBSD 5.1
MySQL version: 4.0.18
Port : 3306

I opened port 3306 from Internet, so people can use this if they have
access/username to MySQL.

Thank you.

--
---
Kalpin Erlangga Silaen
mailto: kalpin () solonet co id
URL: http://www.warningnews.com
YM: kalpinus
MSN: kalpinus
IRC: mesra.dal.net nick Kalpin

Current thread:

System Hacked from MySQL Insecurities Kalpin Erlangga Silaen (Jan 06)
- RE: System Hacked from MySQL Insecurities Shawn Wall (Jan 06)
- Re: System Hacked from MySQL Insecurities bernie (Jan 07)
  - Re: System Hacked from MySQL Insecurities Kalpin Erlangga Silaen (Jan 07)
- Re: System Hacked from MySQL Insecurities Danux (Jan 07)
- <Possible follow-ups>
- RE: System Hacked From MySQL Insecurities Saint Anthony (Jan 07)
- RE: System Hacked from MySQL Insecurities Ed Gorski (Jan 07)
  - RE: System Hacked from MySQL Insecurities Kalpin Erlangga Silaen (Jan 10)
    - Re: System Hacked from MySQL Insecurities q q (Jan 14)