List:Packagers« Previous MessageNext Message »
From:Lenz Grimmer Date:September 11 2003 10:25am
Subject:Re: MySQL 4.0.15 has been released
View as plain text  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Christian,

On Thu, 11 Sep 2003, Christian Hammers wrote:

> > Why do you think it's a root exploit? You need to already have root
> > privileges on the database to be able to trigger this crash.
>
> Some scenarious I thought of:
> - I think it's possible to give users the rights to modify just their
>   password but not to create new databases or modify someone elses
>   databases. With this exploit it could be made possible. Or?

For being able to exploit this bug, you need to have write permissions on
the mysql.user table. Normal users can only change their own password, but
you first need to be able to ALTER the mysql.user table (to change the
column type of the "Password" column to LONGTEXT) to be able to actually
insert such a long string. And if you have write permissions on the
mysql.user table, you can already give yourself all the required
privileges to be able to create new or modify existing databases.

But I don't want to completely rule out the possibility, that you could
create a user account with a certain combination of limited privileges and
then use this exploit to elevate the privileges of this user. But after
some discussion we concluded that this a pathological case.

Serg, do you have any additional comments on that?

> - People who have mysql admin rights but no shell login could gain this
>   when this exploit.

Yes, that's a possible scenario, agreed. You could gain the ability to
execute code under the UID mysqld is running under.

But these admin users already have extended privileges to be able to write
to the mysql.user database, which can also be used to cause certain harm
to files that belong to the mysql user (e.g. other databases or single
tables).

> - legacy web servers where mysql still runs as root have "customers"
>   which may only admin their mysql database as mysql-user root but have
>   no shell login. Here one could exploit a web page like e.g. phpmyadmin
>   to gain access mysql

True, this can be a problem.

> A constructive proposal is that next time someone screams "security bug"
> on bugtraq you make a big changelog entry and explain what exaclty can
> be done with it in which situation.

Yes, we need to be more verbose with our changelog entries for these
cases. Good point.

> Admins are notoriously paranoid as they often cannot image what could in
> the worst case eventually be possible and which rights can be gained...
> One better patches than hopes that no hacker is more creative than one
> self :) Some decision-making advice would be great.

Thanks for the advice. I will torture the developers to give me better
input for such cases in the future. It took me a while until I fully
understood the implications of this specific one...

Bye,
	LenZ
- -- 
 Lenz Grimmer <lenz@stripped>
 Senior Production Engineer
 MySQL GmbH, http://www.mysql.de/
 Hamburg, Germany

 For technical support contracts, visit https://order.mysql.com/?ref=mlgr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/YE2DSVDhKrJykfIRAmZdAJ4ym8hYRG1VXnbTdU5IoDTIUl+oDACff0R3
TfL3vve1EAJLsTCyrArgA9c=
=XRDD
-----END PGP SIGNATURE-----
Thread