CVE-2012-5613 MySQL Database Privilege Elevation 0day Exploit Demo

Exploits, , , ,

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

CVE-2012-5613
Full Disclosure Mailing-list
Red Hat Bugzilla

Affected version(s) :

MySQL 5.0
MySQL 5.1
Other ?

Tested on Centos 5.8 x86 with :

MySQL Server version 5.0.95 Source distribution

Description :

An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2” with “rootedbox2” as password.

Commands :

On the target side :
CREATE DATABASE exampledb;
GRANT ALL PRIVILEGES ON exampledb.* TO user1@'192.168.178.26' IDENTIFIED BY 'test';
GRANT FILE ON *.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; 
FLUSH PRIVILEGES;

On the attacker side :
mysql -u user1 -h 192.168.178.34 -p exampledb -> allowed
mysql -u rootedbox2 -h 192.168.178.34 -p -> denied
perl mysql_privilege_elevation.pl 
mysql -u rootedbox2 -h 192.168.178.34 -p -> allowed

22 thoughts on “CVE-2012-5613 MySQL Database Privilege Elevation 0day Exploit Demo

  1. Pingback: Zero-day vulnerabilities in MySQL database allows hackers to crash the service | Forhaj | Official Site
  2. Pingback: Zero-day vulnerabilities in MySQL database allows hackers to crash the service | Forhaj | Hacker News
  3. Pingback: Multiple MySQL database Zero-day vulnerabilities published | My great WordPress blog
  4. Pingback: Security News #0x2C- MySQL has a bad week. « CyberOperations
  5. Pingback: Zero-day vulnerabilities in MySQL database allows hackers to crash the service | FidoSysop.org
  7. Pingback: {EN} – Multiple MySQL database Zero-day vulnerabilities published | Hack-Actus
  8. Pingback: MySQL 0-Days: CVE-2012-5611 to 5615 – flyingpenguin
  9. Pingback: Vulnerabilities threaten to crash MySQL databases | News Technology or Trading

Comments are closed.