Friday, January 8, 2010

Local Attacks Against MySQL
















































Local Attacks Against MySQL



This section covers the following:




  • Race conditions




  • Overflows




  • The MySQL file structure revisited




A few points are worth discussing in relation to local
attacks on MySQL before dealing with the few specific attacks that fall
into this section. First, MySQL determines the level of privilege given
to a specific user by the host that the user is connecting from;
normally, according the local host, the maximum privilege. From this
perspective, local attackers can be much more dangerous than remote
attackers. Second, it is common for MySQL hosts to be protected from
the rest of the network by a firewall and SSH so that only authorized
users can connect to MySQL. If a user has a means of running arbitrary
code on the MySQL host, he will almost certainly be able to bypass the
restriction and connect to MySQL without going through SSH first.
Depending on the assumptions that have been made and the configuration
of MySQL, this might be dangerous: for example, if the assumption is
that it's OK to leave the password blank for the root account on
localhost.




Race Conditions


Race condition attacks commonly affect Unix
platforms, though the same category of attack could affect Windows
platforms under some circumstances. The way that these race
condition/symlink attacks work is as follows.


MySQL has historically been supplied with a number of
scripts that make use of temporary files. In some cases these temporary
files are created in insecure locations (for example the /tmp
directory) with predictable names, and can be replaced by symbolic
links to critical system files. The MySQL script will then unwittingly
overwrite the system file using MySQL's privilege. Known bugs that
demonstrate this behavior are CAN-2004-0388 (the mysqld_multi script)
and CAN-2004-0381 (the mysqlbug script).


Other notable local bugs in MySQL are
CAN-2001-1255 (not fixed at the time of this writing), in which the
WinMySQLAdmin tool leaves the plaintext root password in my.ini, and
the very old CVE-1999-1188, in which plaintext passwords are left in
world-readable log files.





Overflows



On
most platforms, exploiting a buffer overflow locally is much easier
than exploiting it remotely, mainly because the attacker can research
the precise configuration of the system and determine what libraries
are loaded at what addresses in the MySQL processes.


In terms of local-only overflows in MySQL, there aren't any published bugs that fit into this category.








































No comments: