New plugin for BID: 7052 (mysql)

From: Vincent Renardias (vincentat_private)
Date: Fri Mar 14 2003 - 03:53:55 PST

  • Next message: Vincent Renardias: "[New Script] imap4_banner.nasl"

    See attached script.
    
    
    #
    # This script was written by Vincent Renardias <vincentat_private>
    #
    # See the Nessus Scripts License for details
    #
    
    
    if(description)
    {
     
     script_id(FIXME);
     script_bugtraq_id(7052);
     script_version ("$Revision$");
     name["english"] = "MySQL mysqld Privilege Escalation Vulnerability";
     script_name(english:name["english"]);
     
     desc["english"] = "
    You are running a version of MySQL which is older than version 3.23.55.
    It is vulnerable to a vulnerability that may allow the mysqld service
    to start with elevated privileges.
    
    An attacker can exploit this vulnerability by creating a DATADIR/my.cnf
    that includes the line 'user=root' under the '[mysqld]' option section.
    
    When the mysqld service is executed, it will run as the root
    user instead of the default user. 
     
    Risk factor : High
    Solution : Upgrade to at least version 3.23.56";
    
     script_description(english:desc["english"]);
     
     summary["english"] = "Checks for the remote MySQL version";
     summary["francais"] = "Vérifie la version de MySQL";
     script_summary(english:summary["english"], francais:summary["francais"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2003 StrongHoldNet",
    		francais:"Ce script est Copyright (C) 2001 StrongHoldNet");
     family["english"] = "Remote file access";
     family["francais"] = "Accès aux fichiers distants";
     script_family(english:family["english"], francais:family["francais"]);
     script_dependencie("find_service.nes");
     script_require_ports("Services/mysql", 3306);
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    
    port = get_kb_item("Services/mysql");
    if(!port)port = 3306;
    
    if(get_port_state(port))
    {
     soc = open_sock_tcp(port);
     if(soc)
     {
      r = recv(socket:soc, length:5);
      r = recv(socket:soc, length:10);
      if(ereg(pattern:"3\.(([0-9]\..*)|(1[0-9]\..*)|(2(([0-2]\..*)|3\.(([0-9]$)|([0-4][0-9])|(5[0-5])))))", string:r))security_hole(port);
      close(soc);
     }
    }
    



    This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 03:54:52 PST