Vigil@nce - MySQL: file corruption via MyISAM
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a symbolic link, in order for example
to alter the /var/lib/mysql/my.cnf file, with privileges of MySQL.
– Impacted products: Fedora, MySQL Community, MySQL Enterprise
– Severity: 2/4
– Creation date: 10/09/2014
DESCRIPTION OF THE VULNERABILITY
The myisam/ha_myisam.cc file of MySQL uses a ".TMD" temporary file.
However, when the file is opened, the program does not check if it
is an existing symbolic link. The file pointed by the link is thus
opened with privileges of the program. Moreover, the file name is
predictable, and is located in a publicly writable directory, so
the attacker can create the symbolic link before its usage.
A local attacker can therefore create a symbolic link, in order
for example to alter the /var/lib/mysql/my.cnf file, with
privileges of MySQL.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MySQL-file-corruption-via-MyISAM-15328