mysqld Privilege Escalation

From: Jonny Stone (sunxrayat_private)
Date: Thu Apr 03 2003 - 03:47:16 PST

  • Next message: Renaud Deraison: "Re: mysqld Privilege Escalation"

    Hello,
    
    preliminary remark i haven't read all old thread in the mailing list 
    archive.
    Now i found some problem when i try to use nessus for assessment mysql.
    
    Infact i try to detect my MySQL verision but it say to me that  unknow 
    server
    in running on that port (3306) this is standard port.
    I have installed mysql with a simple rpm and i have a semi standard 
    configuration,
    semi because i have added a root password.
    
    Am i only that i have receive this error ???
    
    Then i have write a script to find mysqld Privilege Escalation 
    Vulnerability, blindlfold
    i think is corrent and it don't run because i have receive then previos 
    message.
    
    
    #
    # See the Nessus Scripts License for details
    #
    # Ref:
    # http://securityfocus.com/bid/7052
    #
    #
    
    
    if(description)
    {
    
    script_id(20002);
    script_version ("$Revision: 1.0 $");
    
    name["english"] = "MySQL mysqld Privilege Escalation Vulnerability";
    script_name(english:name["english"]);
    
    desc["english"] = "
    
    MySQL 3.23.55 and earlier creates creates
    world-writeable files
    and allows mysql users to gain root privileges
    Risk factor : High
    Solution : Upgrade to the latest version of MySQL ";
    
    
    
    
    script_description(english:desc["english"]);
    
    summary["english"] = "Checks for the remote MySQL version";
    script_summary(english:summary["english"]);
    
    script_category(ACT_SETTINGS);
    
    
    script_copyright(english:"This script is Copyright (C) 2003 Jonny");
    family["english"] = "Misc.";
    
    script_family(english:family["english"]);
    script_dependencie("find_service.nes");
    script_require_ports("Services/mysql", 3306);
    exit(0);
    }
    
    #
    # The script code starts here
    #
    
    
    port = get_kb_item("Services/mysql");
    if(!port)port = 3306;
    
    
    
    if(get_port_state(port))
    {
    soc = open_sock_tcp(port);
    if(soc)
    {
    #r = recv(socket:soc, length:5);
    r = recv(socket:soc, length:10);
    close(soc);
    if(!r)exit(0);
    if(ereg(pattern:"3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-5][0-9]|5[0-5])[^0-9])",
      string:r))security_hole(port);
    
    }
    }
    
    If i'm in wrong tell me please
    by
    -- Jonny
    
    Ps: Sorry for my bad english
    
    
    
    _________________________________________________________________
    MSN 8 with e-mail virus protection service: 2 months FREE* 
    http://join.msn.com/?page=features/virus
    



    This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 03:47:37 PST