Local Attacks Against MySQL

This section covers the following:

  • Race conditions
  • Overflows
  • The MySQL file structure revisited

A few points are worth discussing in relation to local attacks on MySQL before dealing with the few specific attacks that fall into this section. First, MySQL determines the level of privilege given to a specific user by the host that the user is connecting from; normally, according the local host, the maximum privilege. From this perspective, local attackers can be much more dangerous than remote attackers. Second, it is common for MySQL hosts to be protected from the rest of the network by a firewall and SSH so that only authorized users can connect to MySQL. If a user has a means of running arbitrary code on the MySQL host, he will almost certainly be able to bypass the restriction and connect to MySQL without going through SSH first. Depending on the assumptions that have been made and the configuration of MySQL, this might be dangerous: for example, if the assumption is that it's OK to leave the password blank for the root account on localhost.

Race Conditions

Race condition attacks commonly affect Unix platforms, though the same category of attack could affect Windows platforms under some circumstances. The way that these race condition/symlink attacks work is as follows.

MySQL has historically been supplied with a number of scripts that make use of temporary files. In some cases these temporary files are created in insecure locations (for example the /tmp directory) with predictable names, and can be replaced by symbolic links to critical system files. The MySQL script will then unwittingly overwrite the system file using MySQL's privilege. Known bugs that demonstrate this behavior are CAN-2004-0388 (the mysqld_multi script) and CAN-2004-0381 (the mysqlbug script).

Other notable local bugs in MySQL are CAN-2001-1255 (not fixed at the time of this writing), in which the WinMySQLAdmin tool leaves the plaintext root password in my.ini, and the very old CVE-1999-1188, in which plaintext passwords are left in world-readable log files.


On most platforms, exploiting a buffer overflow locally is much easier than exploiting it remotely, mainly because the attacker can research the precise configuration of the system and determine what libraries are loaded at what addresses in the MySQL processes.

In terms of local-only overflows in MySQL, there aren't any published bugs that fit into this category.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.