Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday

[king cope <isowarez.isowarez.isowarez () googlemail com>]

Hi,
My opinion is that the FILE to admin privilege elevation should be patched.
What is the reason to have FILE and ADMIN privileges seperated when
with this exploit
FILE privileges equate to ALL ADMIN privileges.
I understand that it's insecure to have FILE privileges attached to a user.
But if this a configuration issue and not a vulnerability then as
stated above there must be something wrong with the privilege
management in this SQL server.

With Kind Regards,

Kingcope


2012/12/2 Sergei Golubchik <serg () askmonty org>:
> Hi, Huzaifa!
>
> Here's the vendor's reply:
>
> On Dec 02, Huzaifa Sidhpurwala wrote:
> > * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
> > http://seclists.org/fulldisclosure/2012/Dec/4
> > https://bugzilla.redhat.com/show_bug.cgi?id=882599
>
> A duplicate of CVE-2012-5579
> Already fixed in all stable MariaDB version.
>
> > * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
> > http://seclists.org/fulldisclosure/2012/Dec/5
> > https://bugzilla.redhat.com/show_bug.cgi?id=882600
>
> Acknowledged.
> https://mariadb.atlassian.net/browse/MDEV-3908
>
> > * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
> > Exploit
> > http://seclists.org/fulldisclosure/2012/Dec/6
> > https://bugzilla.redhat.com/show_bug.cgi?id=882606
>
> Not a bug. MySQL manual specifies many times very explicitly:
>
> ===
>    * Do not grant the `FILE' privilege to nonadministrative users. Any
>      user that has this privilege can write a file anywhere in the file
>      system with the privileges of the *Note `mysqld': mysqld. daemon.
>      To make this a bit safer, files generated with *Note `SELECT ...
>      INTO OUTFILE': select. do not overwrite existing files and are
>      writable by everyone.
>
>      The `FILE' privilege may also be used to read any file that is
>      world-readable or accessible to the Unix user that the server runs
>      as. With this privilege, you can read any file into a database
>      table. This could be abused, for example, by using *Note `LOAD
>      DATA': load-data. to load `/etc/passwd' into a table, which then
>      can be displayed with *Note `SELECT': select.
> ===
> You should exercise particular caution in granting the `FILE'
> and administrative privileges:
>
>    * The `FILE' privilege can be abused to read into a database table
>      any files that the MySQL server can read on the server host. This
>      includes all world-readable files and files in the server's data
>      directory.  The table can then be accessed using *Note `SELECT':
>      select. to transfer its contents to the client host.
> ===
>
> Additionally, MySQL (and MariaDB) provides a --secure-file-priv
> option that allows to restrict all FILE operations to a specific
> directory.
>
> Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration,
> much like an anonymous ftp upload access to the $HOME of the ftp user.
>
> > * CVE-2012-5614 MySQL Denial of Service Zeroday PoC
> > http://seclists.org/fulldisclosure/2012/Dec/7
> > https://bugzilla.redhat.com/show_bug.cgi?id=882607
>
> Acknowledged.
> https://mariadb.atlassian.net/browse/MDEV-3910
>
> > * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
> > http://seclists.org/fulldisclosure/2012/Dec/9
> > https://bugzilla.redhat.com/show_bug.cgi?id=882608
>
> This is hardly a "zeroday" issue, it was known for, like, ten years.
> But I'll see what we can do here.
> https://mariadb.atlassian.net/browse/MDEV-3909
>
> Regards,
> Sergei
> MariaDB Security Coordinator