Hi,
Does anybody know of any resources better explaining CVE-2005-0709 than
that found at:
http://marc.theaimsgroup.com/?l=bugtraq&m=111066115808506&w= 2
If not can anybody explain how it works?
Cheers
"datameme"
> Hi,
> Does anybody know of any resources better explaining CVE-2005-0709 than
> that found at:
> http://marc.theaimsgroup.com/?l=bugtraq&m=111066115808506&w= 2
> If not can anybody explain how it works?
The canonical location of CVE's is at cve.mitre.org
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0 709
You'll find many links to many different explanations there.
Basically, what it appears to be is a privilege escalation
vulnerability. If a given mysql user has the ability to insert or
delete records on an administrative database, they can cleverly, by
leveraging the create function command, escalate their privileges to
run any function that's in libc.
This reference shows how that vulnerability is used to pop a shell
back to an attacker with privs of the mysql user:
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/008 4.html
This vulnerability has been patched. If you're coming at this from a
mysql administrator standpoint, apply the patch and go about your
day.
Best Regards,
--
Todd H.
http://www.toddh.net/
Hi,
Cheers for that, in the explanation given at neohapsis, it all makes
sense until the SELECT 'function name' bits at the end where each is
provided with 49ish parameters (all zeros). Arent they expecting just a
couple of arguments to satify the pointers strcat, on_exit are
expecting and just an int for exit:
if:
char *strcat(char *dest, const char *src);
int on_exit(void (*function)(int , void *), void *arg);
void exit(int status);
why?
Supposing we have created strcat, on_exit and exit into MySql DBMS,
mysql> select on_exit(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
->,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)\G
....
mysql> select strcat(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
->,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)\G
*************************** 1. row ***************************
strcat(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ,0,0,0,\
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0): 1
1 row in set (0.00 sec)
mysql> select exit();
"datameme"
> Hi,
> Cheers for that, in the explanation given at neohapsis, it all makes
> sense until the SELECT 'function name' bits at the end where each is
> provided with 49ish parameters (all zeros). Arent they expecting just a
> couple of arguments to satify the pointers strcat, on_exit are
> expecting and just an int for exit:
I haven't looked at the exploit code in depth, but it's not uncommon
for a vulnerability to be one of a buffer overflow variety where data
unlike anything the developers would ever expect overflows and input
buffer and then allows an attacker to write to memory, redirect the
processor's instruction pointer into that memory, and voila, the
attacker can execute commands beyond the process's intended privilege
level.
--
Todd H.
http://www.toddh.net/