Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
From: king cope <isowarez.isowarez.isowarez () googlemail com>
Date: Sun, 2 Dec 2012 21:17:14 +0100

Hi,
My opinion is that the FILE to admin privilege elevation should be patched.
What is the reason to have FILE and ADMIN privileges seperated when
with this exploit
FILE privileges equate to ALL ADMIN privileges.
I understand that it's insecure to have FILE privileges attached to a user.
But if this a configuration issue and not a vulnerability then as
stated above there must be something wrong with the privilege
management in this SQL server.

With Kind Regards,

Kingcope


2012/12/2 Sergei Golubchik <serg () askmonty org>:
Hi, Huzaifa!

Here's the vendor's reply:

On Dec 02, Huzaifa Sidhpurwala wrote:

* CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
http://seclists.org/fulldisclosure/2012/Dec/4
https://bugzilla.redhat.com/show_bug.cgi?id=882599

A duplicate of CVE-2012-5579
Already fixed in all stable MariaDB version.

* CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
http://seclists.org/fulldisclosure/2012/Dec/5
https://bugzilla.redhat.com/show_bug.cgi?id=882600

Acknowledged.
https://mariadb.atlassian.net/browse/MDEV-3908

* CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
Exploit
http://seclists.org/fulldisclosure/2012/Dec/6
https://bugzilla.redhat.com/show_bug.cgi?id=882606

Not a bug. MySQL manual specifies many times very explicitly:

===
   * Do not grant the `FILE' privilege to nonadministrative users. Any
     user that has this privilege can write a file anywhere in the file
     system with the privileges of the *Note `mysqld': mysqld. daemon.
     To make this a bit safer, files generated with *Note `SELECT ...
     INTO OUTFILE': select. do not overwrite existing files and are
     writable by everyone.

     The `FILE' privilege may also be used to read any file that is
     world-readable or accessible to the Unix user that the server runs
     as. With this privilege, you can read any file into a database
     table. This could be abused, for example, by using *Note `LOAD
     DATA': load-data. to load `/etc/passwd' into a table, which then
     can be displayed with *Note `SELECT': select.
===
You should exercise particular caution in granting the `FILE'
and administrative privileges:

   * The `FILE' privilege can be abused to read into a database table
     any files that the MySQL server can read on the server host. This
     includes all world-readable files and files in the server's data
     directory.  The table can then be accessed using *Note `SELECT':
     select. to transfer its contents to the client host.
===

Additionally, MySQL (and MariaDB) provides a --secure-file-priv
option that allows to restrict all FILE operations to a specific
directory.

Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration,
much like an anonymous ftp upload access to the $HOME of the ftp user.

* CVE-2012-5614 MySQL Denial of Service Zeroday PoC
http://seclists.org/fulldisclosure/2012/Dec/7
https://bugzilla.redhat.com/show_bug.cgi?id=882607

Acknowledged.
https://mariadb.atlassian.net/browse/MDEV-3910

* CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
http://seclists.org/fulldisclosure/2012/Dec/9
https://bugzilla.redhat.com/show_bug.cgi?id=882608

This is hardly a "zeroday" issue, it was known for, like, ten years.
But I'll see what we can do here.
https://mariadb.atlassian.net/browse/MDEV-3909

Regards,
Sergei
MariaDB Security Coordinator



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault