Avoid local attack through Mysql

Storniert Veröffentlicht Aug 31, 2007 Bezahlt bei Lieferung
Storniert Bezahlt bei Lieferung

Mysql,as we have known, is a very popular DBMS (Database Management System),includes 4 types:

* MySQL Standard includes the standard storage engine, as well as the InnoDB storage engine, which is touted as a “transaction-safe, ACID-compliant database” with some additional features over the standard version.

* MySQL Pro is the commercial version.

* MySQL Max includes the more technologically advanced features that are available during early access programs.

* MySQL Classic is the standard storage engine without the InnoDB engine. This is another commercial version.

For increasing usability, the Mysql developer team have added some functions which is vulnerable for server [url removed, login to view] probably have heard about Local attack method through [url removed, login to view] try an example:

(In this example,I suppose attacker had owned one mysql account which had rights to create,edit,and add/remove DB on server)

By creating a table like this :

use atttacker;

Create table readfile(text LONGTEXT);

Insert into readfile values(loadfile('/etc/passwd');

As you can see,the result is :

Select * from readfile;

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

ident:x:100:101::/home/ident:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

canna:x:39:39:Canna Service User:/var/lib/canna:/sbin/nologin

wnn:x:49:49:Wnn Input Server:/var/lib/wnn:/sbin/nologin

mysql:x:101:102:MySQL server:/var/lib/mysql:/bin/bash

named:x:25:25:Named:/var/named:/sbin/nologin

Some probably wonder : "Oops,Why could the attacker exploit my server although I had already hardened it carefully ,Safe_mod on ,open_basedir set,System funcions had been disable?".This could be your administrator had forgotten or had not care enough about this [url removed, login to view] problem here is web need to find out the risk from mysql's usability ,on the view of customers(in case you are managing a shared-host enviroment).

"Do they really need those functions?"

"How could an attacker do when they had an account in mysql"

You can find a solution and deploy it after answering two questions [url removed, login to view] have a look on mysql's functions.

Which one could be the most danger?

First,consider load_file() [url removed, login to view] one structure is LOAD_FILE(file_name) .This is used to read a file content and return as a [url removed, login to view] mysql manual pages,you can see its' requirements :

" To use this function, the file must be located on the server host, you must specify the full pathname to the file, and you must have the FILE privilege. The file must be readable by all and its size less than max_allowed_packet bytes. "

To read a file through mysql,user must has File Privilege,then this file must be readable by [url removed, login to view] are two golden keys for us,poor sysadmin,to prevent the [url removed, login to view] a normal customer,when they need to manipulate file,

there are 2 cases:

[url removed, login to view] php ,perl,or Cgi,asp,file manager in hosting control panel

[url removed, login to view] directly through FTP

So it is not necessary for a normal customer to own File [url removed, login to view] preventing this risk ,simply you can disable File privilege all users in mysql

The next one is "load data infile" function :

"LOAD DATA [LOW_PRIORITY | CONCURRENT] [LOCAL] INFILE 'file_name'

[REPLACE | IGNORE]

INTO TABLE tbl_name

[FIELDS

[TERMINATED BY 'string']

[[OPTIONALLY] ENCLOSED BY 'char']

[ESCAPED BY 'char']

]

[LINES

[STARTING BY 'string']

[TERMINATED BY 'string']

]

[IGNORE number LINES]

[(col_name,...)] "

(This mini-article considers you have already know about mysql [url removed, login to view] we don't metion about the use or its' structure).

This one is the same with load_file() but the speed is [url removed, login to view],this one has one more keyword is "local".

In case "local" had been added in [url removed, login to view] would read file in the client and sent it to [url removed, login to view] vast majaority servers set up mysql on localhost (themselves) so that it isn't important to has it or [url removed, login to view] its' requirement:

"For security reasons, when reading text files located on the server, the files must either reside in the database directory or be readable by all. Also, to use LOAD DATA INFILE on server files, you must have the FILE privilege "

Also,the File Privil is the most important key to prevent this rick.

About dumping file on server ,it's not really popular so it's not important to discuss about it here.

Conclusion:

Mysql is a really ,really powerful DBMS for its' Power,speed,and usabilities but for so many unneeded functions make it become potential risk to [url removed, login to view] you can earn a litle bit experience to improve sercurity for yourself

Linux PHP System Admin Websicherheit

Projekt-ID: #173006

Über das Projekt

2 Vorschläge Remote Projekt Aktiv Sep 4, 2007

2 Freelancer bieten im Durchschnitt $100 für diesen Job

nknk

Hi. I am an experienced Linux/SQL system administrator. Will provide setup, tuning and further support. That's quite a nice article, but it doesn't explain what you want. If it is hardening your MySQL permissions, then Mehr

$100 USD in 3 Tagen
(210 Bewertungen)
7.1