oss-sec mailing list archives
Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 05 Feb 2020 11:31:55 -0500
Hello Matthias,
That chmod 640 might be interesting if applied to /etc/shadow. It could allow some users to read the password hashes.
On 2/5/20, 7:46 AM, "Matthias Gerstner" <mgerstner () suse de> wrote:
Hello list,
in the course of a review of the mariadb packaging in the SUSE Linux
distribution I discovered that a SUSE specific helper script
"mysql-systemd-helper" unsafely operates with root privileges in
the /var/lib/mysql directory [1].
During initial package installation and during upgrade scenarios the
file /var/lib/mysql/mysql_upgrade_info is created/overwritten and
modified using the following shell commands:
```
echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info
chmod 640 "$datadir/mysql_upgrade_info"
```
Since the unprivileged mysql user owns the parent directory it can
remove this file and replace it with a symlink to write/overwrite in
privileged file systems locations. This could mostly be used for
denial-of-service purposes, a full privilege escalation should not be
easily achieved by this vulnerability, since the file content cannot be
controlled by a potential attacker.
Future SUSE mariadb packages will keep this file in a safe location in
/var/lib/misc. Older, still supported packages will be fixed soon.
Cheers
Matthias
References
----------
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1160895
--
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer
Current thread:
- CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Matthias Gerstner (Feb 05)
- Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Larry W. Cashdollar (Feb 05)
