Bugtraq mailing list archives
Re: Some more MySql security issues
From: Tim Yardley <yardley () UIUC EDU>
Date: Mon, 12 Feb 2001 14:34:43 -0600
At 05:40 PM 2/10/2001, Konrad Rieck wrote:
I am a little bit confused about this mail. Maybe the author can explain some issues to me... On Sat, Feb 10, 2001 at 12:54:33AM -0000, Joao Gouveia wrote: > roberto@spike:~ > mysql -ublaah (Note: 'blaah' obviously isn't a valid > username) You seem to have a strange configuration of mysql. By default only valid users are allowed to connect to the database. So the overflow in "drop database" can only be used by users of mysql. Well anyway, a security problem that can lead to the privileges the mysqld is running under, but not as simple as you show above.
he misspoke. the username had to be valid for him to log into mysql. he was stating that it was not a valid username so that people didnt try logging into his mysql server with that username (via brute force i assume).
> /home/jroberto/httpd/mysql/bin/mysql -h`perl -e'printf("A"x200)'`
This is a nice example of bad code, but not a security issue, I could
show up a 100 of programs that simply don't care for *argv parameters.
You don't gain anything by exploiting such overflows in non-suid programs.
watch what you say there. there have been hundreds of programs that have been exploited via argv params. a bof is a bof.. regardless of where it is. also, just because you don't gain anything doesnt mean that the problem shouldnt be documented and fixed. lastly, you stated that nothing is gained by overflowing non-suid programs. that statement is obviously innaccurate. if you gain ANY uid/gid (etc etc) that is not in your currrent list, you are changing your privledges on the system. whether or not it is a ROOT compromise is a whole different matter. also, keep in mind that most daemons do not always run under the same uid/gid pair on all systems. mysql may run as user mysql on your system, however what if some lame admin decided he wanted it to run as root? oops. or perhaps i should bring up things like man? anyway, the point of this was to simply say.. dont assume that you gain nothing just because things are not run as root and/or setuid. /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- - --------------+ | Tim Yardley (yardley () uiuc edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- - --------------+
Current thread:
- Some more MySql security issues Joao Gouveia (Feb 10)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Joao Gouveia (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Peter van Dijk (Feb 12)
- Re: Some more MySql security issues Carsten H. Pedersen (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Theodor Milkov (Feb 12)
- <Possible follow-ups>
- Re: Some more MySql security issues Hector A.Paterno (Feb 13)