[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp
From: "ZATAZ.net" <exploits () zataz ! net>
Date: 2005-05-17 10:46:29
Message-ID: 4FCC2740-8677-42A0-9921-E0004B31F261 () zataz ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no
#########################################################
MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.
For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all
databases;
##########
versions:
##########
MySQL < 4.0.12
MySQL <= 5.0.4
##########
Solution:
##########
For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.
#########
timeline:
#########
discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix : 2005-05-17
disclosure : 2005-05-17
#####################
Technical details :
#####################
tmp_file=/tmp/mysql_install_db.$$
Then on :
226 echo "use mysql;" > $tmp_file
227 cat $tmp_file $fill_help_tables | eval
"$mysqld_install_cmd_line"
228 res=$?
229 rm $tmp_file
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)
[Attachment #5 (unknown)]
<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: \
after-white-space; "><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: \
0px; margin-left: 0px; \
">#########################################################</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">MySQL mysql_install_db data manipulation</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">vendor: <A \
href="http://www.mysql.com">http://www.mysql.com</A></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">advisory:<A \
href="http://lostmon.blogspot.com/2005/04/"> \
http://www.zataz.</A>net/adviso/mysql-05172005.txt</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">vendor informed: yes \
exploit available:no</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal \
Helvetica; min-height: 17px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: \
0px; margin-bottom: 0px; margin-left: 0px; \
">#########################################################</DIV><DIV><BR \
class="khtml-block-placeholder"></DIV><DIV>MySQL contain a security flaw how \
could</DIV><DIV>allow a malicious local attacker to inject arbitrary SQL \
commands</DIV><DIV>during database creation process.</DIV><DIV><BR \
class="khtml-block-placeholder"></DIV><DIV>For exemple : A malicious local attacker \
could create an mysql account</DIV><DIV>accessible from local (or everywhere) with \
ALL privileges on all databases;</DIV><DIV><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">##########</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">versions:</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">##########</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">MySQL < \
4.0.12</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; ">MySQL <= 5.0.4</DIV><DIV style="margin-top: 0px; margin-right: \
0px; margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">##########</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Solution:</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">##########</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; "><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">For MySQL 4.0.x \
update to the new version 4.0.12</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">MySQL 5.0.4 still vulnerable.</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">#########</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">timeline:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px; ">#########</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">discovered : 2005-05-07</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">vendor notified : 2005-05-09</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">vendor response : 2005-05-09</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">vendor fix : 2005-05-17</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">disclosure : 2005-05-17</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">Technical details :</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Verdana" \
size="3"><SPAN class="Apple-style-span" style="font-size: \
11.7px;">tmp_file=/tmp/mysql_install_db.$$</SPAN></FONT></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal \
normal 11.7px/normal Verdana; min-height: 14px; "><BR></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">Then on :</SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal \
11.7px/normal Verdana; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"> </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">226 \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;"> </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">echo "use mysql;" > $tmp_file</SPAN></FONT></DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;"> </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">227 </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;"> \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;">cat $tmp_file $fill_help_tables | \
eval "$mysqld_install_cmd_line"</SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"> </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">228 \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;"> </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">res=$?</SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"> </SPAN></FONT><FONT class="Apple-style-span" \
face="Verdana" size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;">229 \
</SPAN></FONT><FONT class="Apple-style-span" face="Verdana" size="3"><SPAN \
class="Apple-style-span" style="font-size: 11.7px;"> </SPAN></FONT><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;">rm $tmp_file</SPAN></FONT></DIV><DIV style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT \
class="Apple-style-span" face="Verdana" size="3"><SPAN class="Apple-style-span" \
style="font-size: 11.7px;"><BR \
class="khtml-block-placeholder"></SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; ">Credits :</DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">#####################</DIV><DIV style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; "><FONT class="Apple-style-span" face="Verdana" \
size="3"><SPAN class="Apple-style-span" style="font-size: 11.7px;"><BR \
class="khtml-block-placeholder"></SPAN></FONT></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Eric Romang (<A \
href="mailto:eromang@zataz.net">eromang@zataz.net</A> - ZATAZ)</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
">Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)</DIV><DIV \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
"><BR class="khtml-block-placeholder"></DIV><DIV style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><BR \
class="khtml-block-placeholder"></DIV></BODY></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic