See attached script. # # This script was written by Vincent Renardias <vincentat_private> # # See the Nessus Scripts License for details # if(description) { script_id(FIXME); script_bugtraq_id(7052); script_version ("$Revision$"); name["english"] = "MySQL mysqld Privilege Escalation Vulnerability"; script_name(english:name["english"]); desc["english"] = " You are running a version of MySQL which is older than version 3.23.55. It is vulnerable to a vulnerability that may allow the mysqld service to start with elevated privileges. An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that includes the line 'user=root' under the '[mysqld]' option section. When the mysqld service is executed, it will run as the root user instead of the default user. Risk factor : High Solution : Upgrade to at least version 3.23.56"; script_description(english:desc["english"]); summary["english"] = "Checks for the remote MySQL version"; summary["francais"] = "Vérifie la version de MySQL"; script_summary(english:summary["english"], francais:summary["francais"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 StrongHoldNet", francais:"Ce script est Copyright (C) 2001 StrongHoldNet"); family["english"] = "Remote file access"; family["francais"] = "Accès aux fichiers distants"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes"); script_require_ports("Services/mysql", 3306); exit(0); } # # The script code starts here # port = get_kb_item("Services/mysql"); if(!port)port = 3306; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { r = recv(socket:soc, length:5); r = recv(socket:soc, length:10); if(ereg(pattern:"3\.(([0-9]\..*)|(1[0-9]\..*)|(2(([0-2]\..*)|3\.(([0-9]$)|([0-4][0-9])|(5[0-5])))))", string:r))security_hole(port); close(soc); } }
This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 03:54:52 PST