Security Flaw and Privileges

Hi,
i've found a security flaw on mysql server for windows,
but i'm not sure that the exploitation is possible in a
real life condition. This bug allows an authenticaded user
to cause the service to fail.
In order to exploit this vulnerability, an user must own
well-defined privileges on *.*.

My question is this:
"is possible that an user own at least one of those privileges on *.*
(for example "GRANT CREATE TEMPORARY TABLES ON *.* TO 'test'@'%';"):
- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT
"



would be greatfull to get some help,
Luca Ercoli



--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe: http://lists.mysql.com/win32?unsub=gcdmw-win32@m.gmane.org

Re: Security Flaw and Privileges

Well, it seams really serious, as my first thought is that when you
well-define privileges, you enhance security, not lower it... I didn't
quite understand what you mean in your question (not perfect english,
and maybe a lack of a "?" :p) but I'll try to answer it.

Any user can have any privilege assigned to it if an authenticated
user with proper privileges grant it (that's obvious). So, its
possible, yes, to have one of those privileges globally (on *.*). The
user "test" its a default and has, yes, privileges, my first action
when installing MySQL is restrict the user "root" and eliminate the
user "test", creating another user, with a different name and
password, to server as administrator. I believe that any server with a
default config or maybe the ones that did no effort on enhancing
security can be exploited in many ways.

Hope that helps,

On Fri, 11 Mar 2005 18:50:49 +0100, Luca Ercoli wrote:
> Hi,
> i've found a security flaw on mysql server for windows,
> but i'm not sure that the exploitation is possible in a
> real life condition. This bug allows an authenticaded user
> to cause the service to fail.
> In order to exploit this vulnerability, an user must own
> well-defined privileges on *.*.
>
> My question is this:
> "is possible that an user own at least one of those privileges on *.*
> (for example "GRANT CREATE TEMPORARY TABLES ON *.* TO 'test'@'%';"):
> - REFERENCES
> - CREATE TEMPORARY TABLES
> - GRANT OPTION
> - CREATE
> - SELECT
> "
>
> would be greatfull to get some help,
> Luca Ercoli
>
> --
> MySQL Windows Mailing List
> For list archives: http://lists.mysql.com/win32
> To unsubscribe: http://lists.mysql.com/win32?unsub=danieldaveiga@gmail.com
>
>


--
Daniel da Veiga
Computer Operator - RS - Brazil

--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe: http://lists.mysql.com/win32?unsub=gcdmw-win32@m.gmane.org

Re: Re: Security Flaw and Privileges

Thanks for your support Daniel, but of course you don't have understand
exactly the question (maybe for my *good* english ;p)
Now, I will describe the vulnerability in detail.
A vulnerability exist in the way application handle requests containing
reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN),
allowing an authenticaded user to cause the service to fail.
This issue can become serious if, for example, an host provider supply
to her customers mysql support, supplying him an user with at least one
of those
privileges globally (on *.*):

- REFERENCES
- CREATE TEMPORARY TABLES
- GRANT OPTION
- CREATE
- SELECT


I will report below how to reproduce the vulnerability:

° Connect to server using an account that own the privileges reported above
and use database LPT1 (use LPT1;)
After a few seconds, mysql daemon crash.






----
Luca Ercoli


--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe: http://lists.mysql.com/win32?unsub=gcdmw-win32@m.gmane.org

Re: Security Flaw and Privileges

Have you reported this at bugs.mysql.com?

Mike Hillyer

Luca Ercoli wrote:
> Thanks for your support Daniel, but of course you don't have understand
> exactly the question (maybe for my *good* english ;p)
> Now, I will describe the vulnerability in detail.
> A vulnerability exist in the way application handle requests containing
> reserved MS-DOS devices name (AUX,CON,COM1,LPT1 and PRN),
> allowing an authenticaded user to cause the service to fail.
> This issue can become serious if, for example, an host provider supply
> to her customers mysql support, supplying him an user with at least one
> of those
> privileges globally (on *.*):
>
> - REFERENCES
> - CREATE TEMPORARY TABLES
> - GRANT OPTION
> - CREATE
> - SELECT
>
>
> I will report below how to reproduce the vulnerability:
>
> ° Connect to server using an account that own the privileges reported above
> and use database LPT1 (use LPT1;)
> After a few seconds, mysql daemon crash.
>
>
>
>
>
>
> ----
> Luca Ercoli
>
>

--
Mike Hillyer, Technical Writer
MySQL AB, www.mysql.com
Office: +1 403-380-6535
Mobile: +1 403-330-0870

MySQL User Conference (Santa Clara CA, 18-21 April 2005)
Early registration until February 28: www.mysqluc.com

--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe: http://lists.mysql.com/win32?unsub=gcdmw-win32@m.gmane.org