TITLE: MySQL Two Vulnerabilities SECUNIA ADVISORY ID: SA14547 VERIFY ADVISORY: http://secunia.com/advisories/14547/ CRITICAL: Less critical IMPACT: Privilege escalation, System access WHERE: >From local network SOFTWARE: MySQL 4.x http://secunia.com/product/404/ DESCRIPTION: Stefano Di Paola has reported two vulnerabilities in MySQL, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. 1) An input validation error in the "udf_init()" function in "sql_udf.cc" causes the "dl" field of the "mysql.func" table to not be properly sanitised before being used to load libraries. This can be exploited by manipulating the "mysql" administrative database directly via a "INSERT INTO" statement instead of using "CREATE FUNCTION". Successful exploitation allows loading a malicious library from an arbitrary location, but requires "INSERT" and "DELETE" permissions on the "mysql" administrative database. NOTE: This can be exploited remotely if a user has privileges to create local files via a "SELECT ... INTO OUTFILE" statement. 2) Temporary files are created insecurely with the "CREATE TEMPORARY TABLE" command and can be exploited via symlink attacks to overwrite arbitrary files with the privileges of MySQL. The vulnerabilities have been reported in versions 4.0.23, and 4.1.10 and prior. SOLUTION: The vulnerabilities have been fixed in version 4.0.24. Do not grant untrusted users privileges to perform "CREATE TEMPORARY TABLE" statements and manipulate the "mysql" administrative database. PROVIDED AND/OR DISCOVERED BY: Stefano Di Paola Reproducible: Always Steps to Reproduce: 1. 2. 3. Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20050125-r1, 2.6.11.2 i686) ================================================================= System uname: 2.6.11.2 i686 AMD Athlon(tm) processor Gentoo Base System version 1.6.10 Python: dev-lang/python-2.4-r2 [2.4 (#2, Feb 9 2005, 19:08:43)] ccache version 2.3 [enabled] dev-lang/python: 2.4-r2 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.6.3, 1.8.5-r3, 1.9.5, 1.5, 1.7.9-r1, 1.4_p6 sys-devel/binutils: 2.15.92.0.2-r5 sys-devel/libtool: 1.5.10-r5 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-tbird -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-tbird -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks parallel-fetch sandbox sfperms" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://distro.ibiblio.org/pub/Linux/distributions/gentoo/ http://distfiles.gentoo.org" LANG="en_US.utf8" LC_ALL="en_US.utf8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="x86 3dnow 3dnowex X X509 aac aalib acpi alsa apache2 apm artworkextra audiofile avi bash-completion bcmath bidi bindist bitmap-fonts bmp bzip2 bzlib calendar cdparanoia chroot cjk cpdflib crypt cscope ctype cups curl curlwrappers dba dbx directfb encode erandom exif fam fbcon ffmpeg flac font-server foomaticdb fortran fpx ftp gcj gd gdbm ggi gif gimpprint glitz glut gnutls gpm graphviz gstreamer gtk gtk2 gtkhtml hal iconv imap imlib innodb ipv6 java javacomm javascript jbig jikes jpeg lcms ldap libcaca live lua mad mbox md5sum mhash mikmod mime ming mmap mmx mmx2 mng mozdevelop mozilla mozsvg mozxmlterm mp3 mpeg mpi mplayer mysql mysqli ncurses nls nptl nptlonly nvidia objc offensive oggvorbis opengl openntpd pam pam_console parse-clocks pcmcia pcre perl php physfs pic png pnp posix ppds pwdb python readline real rtc ruby sasl sdk sdl session silc simplexml skey slang sndfile sockets speex spell sqlite ssl startup-notification stroke svg svga sysvipc tcltk tcpd tetex theora threads tidy tiff tokenizer toolbar truetype truetype-fonts type1-fonts unicode usb utempter wddx wmf xchatdccserver xine xml xml2 xpm xprint xsl xv xvid zlib video_cards_nvidia"
*** This bug has been marked as a duplicate of 84819 ***