mysqld Privilege Escalation

From: Jonny Stone (sunxrayat_private)
Date: Thu Apr 03 2003 - 03:47:16 PST

Next message: Renaud Deraison: "Re: mysqld Privilege Escalation"

Next in thread: Renaud Deraison: "Re: mysqld Privilege Escalation"
Reply: Renaud Deraison: "Re: mysqld Privilege Escalation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

preliminary remark i haven't read all old thread in the mailing list 
archive.
Now i found some problem when i try to use nessus for assessment mysql.

Infact i try to detect my MySQL verision but it say to me that  unknow 
server
in running on that port (3306) this is standard port.
I have installed mysql with a simple rpm and i have a semi standard 
configuration,
semi because i have added a root password.

Am i only that i have receive this error ???

Then i have write a script to find mysqld Privilege Escalation 
Vulnerability, blindlfold
i think is corrent and it don't run because i have receive then previos 
message.


#
# See the Nessus Scripts License for details
#
# Ref:
# http://securityfocus.com/bid/7052
#
#


if(description)
{

script_id(20002);
script_version ("$Revision: 1.0 $");

name["english"] = "MySQL mysqld Privilege Escalation Vulnerability";
script_name(english:name["english"]);

desc["english"] = "

MySQL 3.23.55 and earlier creates creates
world-writeable files
and allows mysql users to gain root privileges
Risk factor : High
Solution : Upgrade to the latest version of MySQL ";




script_description(english:desc["english"]);

summary["english"] = "Checks for the remote MySQL version";
script_summary(english:summary["english"]);

script_category(ACT_SETTINGS);


script_copyright(english:"This script is Copyright (C) 2003 Jonny");
family["english"] = "Misc.";

script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_require_ports("Services/mysql", 3306);
exit(0);
}

#
# The script code starts here
#


port = get_kb_item("Services/mysql");
if(!port)port = 3306;



if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(soc)
{
#r = recv(socket:soc, length:5);
r = recv(socket:soc, length:10);
close(soc);
if(!r)exit(0);
if(ereg(pattern:"3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-5][0-9]|5[0-5])[^0-9])",
  string:r))security_hole(port);

}
}

If i'm in wrong tell me please
by
-- Jonny

Ps: Sorry for my bad english



_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus

Next message: Renaud Deraison: "Re: mysqld Privilege Escalation"
Next in thread: Renaud Deraison: "Re: mysqld Privilege Escalation"
Reply: Renaud Deraison: "Re: mysqld Privilege Escalation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 03:47:37 PST