oss-sec mailing list archives
Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
From: king cope <isowarez.isowarez.isowarez () googlemail com>
Date: Sun, 2 Dec 2012 21:17:14 +0100
Hi, My opinion is that the FILE to admin privilege elevation should be patched. What is the reason to have FILE and ADMIN privileges seperated when with this exploit FILE privileges equate to ALL ADMIN privileges. I understand that it's insecure to have FILE privileges attached to a user. But if this a configuration issue and not a vulnerability then as stated above there must be something wrong with the privilege management in this SQL server. With Kind Regards, Kingcope 2012/12/2 Sergei Golubchik <serg () askmonty org>:
Hi, Huzaifa! Here's the vendor's reply: On Dec 02, Huzaifa Sidhpurwala wrote:* CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday http://seclists.org/fulldisclosure/2012/Dec/4 https://bugzilla.redhat.com/show_bug.cgi?id=882599A duplicate of CVE-2012-5579 Already fixed in all stable MariaDB version.* CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday http://seclists.org/fulldisclosure/2012/Dec/5 https://bugzilla.redhat.com/show_bug.cgi?id=882600Acknowledged. https://mariadb.atlassian.net/browse/MDEV-3908* CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday Exploit http://seclists.org/fulldisclosure/2012/Dec/6 https://bugzilla.redhat.com/show_bug.cgi?id=882606Not a bug. MySQL manual specifies many times very explicitly: === * Do not grant the `FILE' privilege to nonadministrative users. Any user that has this privilege can write a file anywhere in the file system with the privileges of the *Note `mysqld': mysqld. daemon. To make this a bit safer, files generated with *Note `SELECT ... INTO OUTFILE': select. do not overwrite existing files and are writable by everyone. The `FILE' privilege may also be used to read any file that is world-readable or accessible to the Unix user that the server runs as. With this privilege, you can read any file into a database table. This could be abused, for example, by using *Note `LOAD DATA': load-data. to load `/etc/passwd' into a table, which then can be displayed with *Note `SELECT': select. === You should exercise particular caution in granting the `FILE' and administrative privileges: * The `FILE' privilege can be abused to read into a database table any files that the MySQL server can read on the server host. This includes all world-readable files and files in the server's data directory. The table can then be accessed using *Note `SELECT': select. to transfer its contents to the client host. === Additionally, MySQL (and MariaDB) provides a --secure-file-priv option that allows to restrict all FILE operations to a specific directory. Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration, much like an anonymous ftp upload access to the $HOME of the ftp user.* CVE-2012-5614 MySQL Denial of Service Zeroday PoC http://seclists.org/fulldisclosure/2012/Dec/7 https://bugzilla.redhat.com/show_bug.cgi?id=882607Acknowledged. https://mariadb.atlassian.net/browse/MDEV-3910* CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday http://seclists.org/fulldisclosure/2012/Dec/9 https://bugzilla.redhat.com/show_bug.cgi?id=882608This is hardly a "zeroday" issue, it was known for, like, ten years. But I'll see what we can do here. https://mariadb.atlassian.net/browse/MDEV-3909 Regards, Sergei MariaDB Security Coordinator
Current thread:
- Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Kurt Seifried (Dec 01)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Sergei Golubchik (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Huzaifa Sidhpurwala (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Sergei Golubchik (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday king cope (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Yves-Alexis Perez (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday king cope (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Sergei Golubchik (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday king cope (Dec 03)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Sergei Golubchik (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Steven M. Christey (Dec 02)
- Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday Kurt Seifried (Dec 02)