9 messages in com.mysql.lists.packagersRe: MySQL 4.0.15 has been released| From | Sent On | Attachments |
|---|---|---|
| Lenz Grimmer | 10 Sep 2003 11:02 | |
| Michael Shigorin | 11 Sep 2003 01:12 | |
| Christian Hammers | 11 Sep 2003 01:37 | |
| Christian Hammers | 11 Sep 2003 01:47 | |
| Lenz Grimmer | 11 Sep 2003 01:49 | |
| Christian Hammers | 11 Sep 2003 02:05 | |
| Lenz Grimmer | 11 Sep 2003 02:06 | |
| Lenz Grimmer | 11 Sep 2003 03:24 | |
| Sergei Golubchik | 11 Sep 2003 10:54 |
| Subject: | Re: MySQL 4.0.15 has been released |
|---|---|
| From: | Lenz Grimmer (le...@mysql.com) |
| Date: | 09/11/2003 03:24:44 AM |
| List: | com.mysql.lists.packagers |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Christian,
On Thu, 11 Sep 2003, Christian Hammers wrote:
Why do you think it's a root exploit? You need to already have root privileges on the database to be able to trigger this crash.
Some scenarious I thought of: - I think it's possible to give users the rights to modify just their password but not to create new databases or modify someone elses databases. With this exploit it could be made possible. Or?
For being able to exploit this bug, you need to have write permissions on the mysql.user table. Normal users can only change their own password, but you first need to be able to ALTER the mysql.user table (to change the column type of the "Password" column to LONGTEXT) to be able to actually insert such a long string. And if you have write permissions on the mysql.user table, you can already give yourself all the required privileges to be able to create new or modify existing databases.
But I don't want to completely rule out the possibility, that you could create a user account with a certain combination of limited privileges and then use this exploit to elevate the privileges of this user. But after some discussion we concluded that this a pathological case.
Serg, do you have any additional comments on that?
- People who have mysql admin rights but no shell login could gain this when this exploit.
Yes, that's a possible scenario, agreed. You could gain the ability to execute code under the UID mysqld is running under.
But these admin users already have extended privileges to be able to write to the mysql.user database, which can also be used to cause certain harm to files that belong to the mysql user (e.g. other databases or single tables).
- legacy web servers where mysql still runs as root have "customers" which may only admin their mysql database as mysql-user root but have no shell login. Here one could exploit a web page like e.g. phpmyadmin to gain access mysql
True, this can be a problem.
A constructive proposal is that next time someone screams "security bug" on bugtraq you make a big changelog entry and explain what exaclty can be done with it in which situation.
Yes, we need to be more verbose with our changelog entries for these cases. Good point.
Admins are notoriously paranoid as they often cannot image what could in the worst case eventually be possible and which rights can be gained... One better patches than hopes that no hacker is more creative than one self :) Some decision-making advice would be great.
Thanks for the advice. I will torture the developers to give me better input for such cases in the future. It took me a while until I fully understood the implications of this specific one...
Bye, LenZ - -- Lenz Grimmer <le...@mysql.com> Senior Production Engineer MySQL GmbH, http://www.mysql.de/ Hamburg, Germany
For technical support contracts, visit https://order.mysql.com/?ref=mlgr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE/YE2DSVDhKrJykfIRAmZdAJ4ym8hYRG1VXnbTdU5IoDTIUl+oDACff0R3 TfL3vve1EAJLsTCyrArgA9c= =XRDD -----END PGP SIGNATURE-----