[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp
From:       "ZATAZ.net" <exploits () zataz ! net>
Date:       2005-05-17 10:46:29
Message-ID: 4FCC2740-8677-42A0-9921-E0004B31F261 () zataz ! net
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no

#########################################################

MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.

For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all  
databases;

##########
versions:
##########

MySQL < 4.0.12
MySQL <= 5.0.4

##########
Solution:
##########

For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.

#########
timeline:
#########

discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix :  2005-05-17
disclosure : 2005-05-17

#####################
Technical details :
#####################

tmp_file=/tmp/mysql_install_db.$$

Then on :

  226     echo "use mysql;" > $tmp_file
  227     cat $tmp_file $fill_help_tables | eval  
"$mysqld_install_cmd_line"
  228     res=$?
  229     rm $tmp_file

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)



[Attachment #5 (unknown)]

<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: \
after-white-space; "><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: \
0px; margin-left: 0px; \
">#########################################################</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">MySQL mysql_install_db data manipulation</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">vendor: <A \
href="http://www.mysql.com">http://www.mysql.com</A></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">advisory:<A \
href="http://lostmon.blogspot.com/2005/04/"> \
http://www.zataz.</A>net/adviso/mysql-05172005.txt</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">vendor informed: yes \
exploit available:no</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal \
Helvetica; min-height: 17px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: \
0px; margin-bottom: 0px; margin-left: 0px; \
">#########################################################</DIV><DIV><BR \
class="khtml-block-placeholder"></DIV><DIV>MySQL contain a security flaw how \
could</DIV><DIV>allow a malicious local attacker to inject arbitrary SQL \
commands</DIV><DIV>during database creation process.</DIV><DIV><BR \
class="khtml-block-placeholder"></DIV><DIV>For exemple : A malicious local attacker \
could create an mysql account</DIV><DIV>accessible from local (or everywhere) with \
ALL privileges on all databases;</DIV><DIV><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">##########</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">versions:</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">##########</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">MySQL &lt; \
4.0.12</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; ">MySQL &lt;= 5.0.4</DIV><DIV style="margin-top: 0px; margin-right: \
0px; margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">##########</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Solution:</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">##########</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">For MySQL 4.0.x \
update to the new version 4.0.12</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">MySQL 5.0.4 still vulnerable.</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">#########</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">timeline:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; ">#########</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">discovered : 2005-05-07</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">vendor notified : 2005-05-09</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">vendor response : 2005-05-09</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">vendor fix :  2005-05-17</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">disclosure : 2005-05-17</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">Technical details :</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Verdana" \
size="3"><SPAN class="Apple-style-span" style="font-size: \
11.7px;">tmp_file=/tmp/mysql_install_db.$$</SPAN></FONT></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal \
normal 11.7px/normal Verdana; min-height: 14px; "><BR></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">Then on :</SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal \
11.7px/normal Verdana; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"> </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">226 \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;">    </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">echo "use mysql;" &gt; $tmp_file</SPAN></FONT></DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;"> </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">227 </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">    \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;">cat $tmp_file $fill_help_tables | \
eval "$mysqld_install_cmd_line"</SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"> </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">228 \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;">    </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">res=$?</SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"> </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">229 \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;">    </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">rm $tmp_file</SPAN></FONT></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"><BR \
class="khtml-block-placeholder"></SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">Credits :</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Verdana" \
size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;"><BR \
class="khtml-block-placeholder"></SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Eric Romang (<A \
href="mailto:eromang@zataz.net">eromang@zataz.net</A> - ZATAZ)</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV></BODY></HTML>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic