aka wow on ZATAZ.com
CVE-2012-5613 MySQL Database Privilege Elevation 0day Exploit Demo
Timeline :
Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01
PoC provided by :
kingcope
Reference(s) :
CVE-2012-5613
Full Disclosure Mailing-list
Red Hat Bugzilla
Affected version(s) :
MySQL 5.0
MySQL 5.1
Other ?
Tested on Centos 5.8 x86 with :
MySQL Server version 5.0.95 Source distribution
Description :
An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2″ with “rootedbox2″ as password.
Commands :
On the target side : CREATE DATABASE exampledb; GRANT ALL PRIVILEGES ON exampledb.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; GRANT FILE ON *.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; FLUSH PRIVILEGES; On the attacker side : mysql -u user1 -h 192.168.178.34 -p exampledb -> allowed mysql -u rootedbox2 -h 192.168.178.34 -p -> denied perl mysql_privilege_elevation.pl mysql -u rootedbox2 -h 192.168.178.34 -p -> allowed
[...] server can escalate to MySQL admin. This is a demo rather than just a PoC, and Eric Romang has a demo. This same issue can be exploited on a Windows system to get code running as system; the folks at [...]
[...] Security researcher Eric Romang has posted a video demonstrating how misconfigured servers are vulnerable in his blog. [...]
All your base, are belong to us.
[...] Posted MySQL Database Privilege Elevation 0day Exploit Demo [...]
[...] The MySQL 5.0 Reference Manual Security Guidelines clearly state "Do not grant the FILE privilege to nonadministrative users" but someone may still make that mistake, as demonstrated in this video by Eric Romang [...]
[...] researcher Eric Romang has highlighted the issue on his blog, and also posted a video demonstrating how misconfigured servers are [...]
Great exploit