List:Packagers« Previous MessageNext Message »
From:Sergei Golubchik Date:September 11 2003 5:54pm
Subject:Re: MySQL 4.0.15 has been released
View as plain text  

On Sep 11, Lenz Grimmer wrote:
> Hash: SHA1
> Hi Christian,
> On Thu, 11 Sep 2003, Christian Hammers wrote:
> > > Why do you think it's a root exploit? You need to already have root
> > > privileges on the database to be able to trigger this crash.
> >
> > Some scenarious I thought of:
> > - I think it's possible to give users the rights to modify just their
> >   password but not to create new databases or modify someone elses
> >   databases. With this exploit it could be made possible. Or?

Users already have rights to modify their passwords. They don't need any
special privileges for this. Write access to mysql db is required only
to change other users' passwords.

> For being able to exploit this bug, you need to have write permissions on
> the mysql.user table. Normal users can only change their own password, but
> you first need to be able to ALTER the mysql.user table (to change the
> column type of the "Password" column to LONGTEXT) to be able to actually
> insert such a long string. And if you have write permissions on the
> mysql.user table, you can already give yourself all the required
> privileges to be able to create new or modify existing databases.
> But I don't want to completely rule out the possibility, that you could
> create a user account with a certain combination of limited privileges and
> then use this exploit to elevate the privileges of this user. But after
> some discussion we concluded that this a pathological case.

Just to elaborate a little:

Lenz means an account with ALTER privilege on mysql.table, but no UPDATE
privilege on it. I seriously doubt it ever happens in real life (no
practical use at all).

> > - People who have mysql admin rights but no shell login could gain this
> >   when this exploit.

Yes, it's what this exploit is about.
According to changelog "Fixed buffer overflow in SET PASSWORD which
could potentially be exploited ... to execute random code or to gain
shell access"
> > - legacy web servers where mysql still runs as root have "customers"
> >   which may only admin their mysql database as mysql-user root but have
> >   no shell login. Here one could exploit a web page like e.g. phpmyadmin
> >   to gain access mysql
> True, this can be a problem.

But it is a special case of the previous item, isn't it ?
> > A constructive proposal is that next time someone screams "security bug"
> > on bugtraq you make a big changelog entry and explain what exaclty can
> > be done with it in which situation.
> Yes, we need to be more verbose with our changelog entries for these
> cases. Good point.

Actually I think this changelog entry was ok (probably because I didn't
see this whole thread, so I don't know what questions it caused.
Ignorance is a bliss. :)

Though it can be improved by specifying exactly what is 
"MySQL users with root privileges".

What about

   * Fixed buffer overflow in password handling which could potentially
     be exploited by MySQL users with ALTER privilege on mysql.table to
     execute random code with UID of mysqld process.

This is very precise and exact description, I think.


   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@stripped>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, Senior Software Developer
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany