Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 2 Dec 2012 21:17:14 +0100
From: king cope <isowarez.isowarez.isowarez@...glemail.com>
To: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>, 
	king cope <isowarez.isowarez.isowarez@...glemail.com>, 
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	todd@...ketstormsecurity.org, submit@...sec.com, 
	Mitre CVE assign department <cve-assign@...re.org>, Steven Christey <coley@...re.org>, security@...iadb.org, 
	security@...ql.com, Ritwik Ghoshal <ritwik.ghoshal@...cle.com>, moderators@...db.org
Subject: Re: Re: [Full-disclosure] MySQL (Linux) Stack based
 buffer overrun PoC Zeroday

Hi,
My opinion is that the FILE to admin privilege elevation should be patched.
What is the reason to have FILE and ADMIN privileges seperated when
with this exploit
FILE privileges equate to ALL ADMIN privileges.
I understand that it's insecure to have FILE privileges attached to a user.
But if this a configuration issue and not a vulnerability then as
stated above there must be something wrong with the privilege
management in this SQL server.

With Kind Regards,

Kingcope


2012/12/2 Sergei Golubchik <serg@...monty.org>:
> Hi, Huzaifa!
>
> Here's the vendor's reply:
>
> On Dec 02, Huzaifa Sidhpurwala wrote:
>>
>> * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
>> http://seclists.org/fulldisclosure/2012/Dec/4
>> https://bugzilla.redhat.com/show_bug.cgi?id=882599
>
> A duplicate of CVE-2012-5579
> Already fixed in all stable MariaDB version.
>
>> * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
>> http://seclists.org/fulldisclosure/2012/Dec/5
>> https://bugzilla.redhat.com/show_bug.cgi?id=882600
>
> Acknowledged.
> https://mariadb.atlassian.net/browse/MDEV-3908
>
>> * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
>> Exploit
>> http://seclists.org/fulldisclosure/2012/Dec/6
>> https://bugzilla.redhat.com/show_bug.cgi?id=882606
>
> Not a bug. MySQL manual specifies many times very explicitly:
>
> ===
>    * Do not grant the `FILE' privilege to nonadministrative users. Any
>      user that has this privilege can write a file anywhere in the file
>      system with the privileges of the *Note `mysqld': mysqld. daemon.
>      To make this a bit safer, files generated with *Note `SELECT ...
>      INTO OUTFILE': select. do not overwrite existing files and are
>      writable by everyone.
>
>      The `FILE' privilege may also be used to read any file that is
>      world-readable or accessible to the Unix user that the server runs
>      as. With this privilege, you can read any file into a database
>      table. This could be abused, for example, by using *Note `LOAD
>      DATA': load-data. to load `/etc/passwd' into a table, which then
>      can be displayed with *Note `SELECT': select.
> ===
> You should exercise particular caution in granting the `FILE'
> and administrative privileges:
>
>    * The `FILE' privilege can be abused to read into a database table
>      any files that the MySQL server can read on the server host. This
>      includes all world-readable files and files in the server's data
>      directory.  The table can then be accessed using *Note `SELECT':
>      select. to transfer its contents to the client host.
> ===
>
> Additionally, MySQL (and MariaDB) provides a --secure-file-priv
> option that allows to restrict all FILE operations to a specific
> directory.
>
> Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration,
> much like an anonymous ftp upload access to the $HOME of the ftp user.
>
>> * CVE-2012-5614 MySQL Denial of Service Zeroday PoC
>> http://seclists.org/fulldisclosure/2012/Dec/7
>> https://bugzilla.redhat.com/show_bug.cgi?id=882607
>
> Acknowledged.
> https://mariadb.atlassian.net/browse/MDEV-3910
>
>> * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
>> http://seclists.org/fulldisclosure/2012/Dec/9
>> https://bugzilla.redhat.com/show_bug.cgi?id=882608
>
> This is hardly a "zeroday" issue, it was known for, like, ten years.
> But I'll see what we can do here.
> https://mariadb.atlassian.net/browse/MDEV-3909
>
> Regards,
> Sergei
> MariaDB Security Coordinator
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.