Vulnerabilities > CVE-2012-4452 - Permissions, Privileges, and Access Controls vulnerability in Oracle Mysql

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

MySQL 5.0.88, and possibly other versions and platforms, allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of a CVE-2009-4030 regression, which was not omitted in other packages and versions such as MySQL 5.0.95 in Red Hat Enterprise Linux 6.

Vulnerable Configurations

Part Description Count
Application
Oracle
283

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2013-0121.NASL
    descriptionUpdated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. It was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the
    last seen2020-06-01
    modified2020-06-02
    plugin id63566
    published2013-01-17
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63566
    titleCentOS 5 : mysql (CESA-2013:0121)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2013:0121 and 
    # CentOS Errata and Security Advisory 2013:0121 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63566);
      script_version("1.10");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2012-4452");
      script_bugtraq_id(55715);
      script_xref(name:"RHSA", value:"2013:0121");
    
      script_name(english:"CentOS 5 : mysql (CESA-2013:0121)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated mysql packages that fix one security issue and several bugs
    are now available for Red Hat Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    MySQL is a multi-user, multi-threaded SQL database server. It consists
    of the MySQL server daemon (mysqld) and many client programs and
    libraries.
    
    It was found that the fix for the CVE-2009-4030 issue, a flaw in the
    way MySQL checked the paths used as arguments for the DATA DIRECTORY
    and INDEX DIRECTORY directives when the 'datadir' option was
    configured with a relative path, was incorrectly removed when the
    mysql packages in Red Hat Enterprise Linux 5 were updated to version
    5.0.95 via RHSA-2012:0127. An authenticated attacker could use this
    flaw to bypass the restriction preventing the use of subdirectories of
    the MySQL data directory being used as DATA DIRECTORY and INDEX
    DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.
    (CVE-2012-4452)
    
    Note: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives
    were disabled as described in RHSA-2010:0109 (by adding
    'symbolic-links=0' to the '[mysqld]' section of the 'my.cnf'
    configuration file), users were not vulnerable to this issue.
    
    This issue was discovered by Karel Volny of the Red Hat Quality
    Engineering team.
    
    This update also fixes the following bugs :
    
    * Prior to this update, the log file path in the logrotate script did
    not behave as expected. As a consequence, the logrotate function
    failed to rotate the '/var/log/mysqld.log' file. This update modifies
    the logrotate script to allow rotating the mysqld.log file.
    (BZ#647223)
    
    * Prior to this update, the mysqld daemon could fail when using the
    EXPLAIN flag in prepared statement mode. This update modifies the
    underlying code to handle the EXPLAIN flag as expected. (BZ#654000)
    
    * Prior to this update, the mysqld init script could wrongly report
    that mysql server startup failed when the server was actually started.
    This update modifies the init script to report the status of the
    mysqld server as expected. (BZ#703476)
    
    * Prior to this update, the '--enable-profiling' option was by default
    disabled. This update enables the profiling feature. (BZ#806365)
    
    All MySQL users are advised to upgrade to these updated packages,
    which contain backported patches to resolve these issues. After
    installing this update, the MySQL server daemon (mysqld) will be
    restarted automatically."
      );
      # https://lists.centos.org/pipermail/centos-announce/2013-January/019160.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?01f871af"
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2013-January/000403.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e5eb291f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected mysql packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-4452");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(59);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql-bench");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mysql-test");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/01/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-5", reference:"mysql-5.0.95-3.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"mysql-bench-5.0.95-3.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"mysql-devel-5.0.95-3.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"mysql-server-5.0.95-3.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"mysql-test-5.0.95-3.el5")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-devel / mysql-server / mysql-test");
    }
    
  • NASL familyDatabases
    NASL idMYSQL_5_0_95_CREATE_TABLE_BYPASS.NASL
    descriptionThe version of MySQL installed may be affected by a symlink-related restriction bypass vulnerability due to a CVE-2009-4030 regression fix being removed in a RedHat 5.0.95 package. Note that this flaw has no impact if the default basedir and datadir configuration values are unchanged.
    last seen2020-06-01
    modified2020-06-02
    plugin id62927
    published2012-11-15
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62927
    titleMySQL 5.0.95 MyISAM Table Symbolic Link Local Restriction Bypass
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20130108_MYSQL_ON_SL5_X.NASL
    descriptionIt was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the
    last seen2020-03-18
    modified2013-01-17
    plugin id63599
    published2013-01-17
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63599
    titleScientific Linux Security Update : mysql on SL5.x i386/x86_64 (20130108)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0121.NASL
    descriptionUpdated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. It was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the
    last seen2020-06-01
    modified2020-06-02
    plugin id63404
    published2013-01-08
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63404
    titleRHEL 5 : mysql (RHSA-2013:0121)
  • NASL familyDatabases
    NASL idMYSQL_5_0_88.NASL
    descriptionThe version of MySQL 5.0 installed on the remote host is earlier than 5.0.88. It is, therefore, potentially affected by the following vulnerabilities : - MySQL clients linked against OpenSSL are vulnerable to man-in-the-middle attacks. (Bug #47320) - The GeomFromWKB() function can be manipulated to cause a denial of service. (Bug #47780) - Specially crafted SELECT statements containing sub- queries in the WHERE clause can cause the server to crash. (Bug #48291) - It is possible to bypass access restrictions when the data directory contains a symbolic link to a different file system. (Bug #39277)
    last seen2020-06-01
    modified2020-06-02
    plugin id42899
    published2009-11-25
    reporterThis script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42899
    titleMySQL 5.0 < 5.0.88 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2013-0121.NASL
    descriptionFrom Red Hat Security Advisory 2013:0121 : Updated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. It was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the
    last seen2020-06-01
    modified2020-06-02
    plugin id68692
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68692
    titleOracle Linux 5 : mysql (ELSA-2013-0121)

Redhat

advisories
bugzilla
id860808
titleCVE-2012-4452 mysql: regression of CVE-2009-4030
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentmysql-bench is earlier than 0:5.0.95-3.el5
          ovaloval:com.redhat.rhsa:tst:20130121001
        • commentmysql-bench is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070875017
      • AND
        • commentmysql-server is earlier than 0:5.0.95-3.el5
          ovaloval:com.redhat.rhsa:tst:20130121003
        • commentmysql-server is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070875015
      • AND
        • commentmysql-test is earlier than 0:5.0.95-3.el5
          ovaloval:com.redhat.rhsa:tst:20130121005
        • commentmysql-test is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070875011
      • AND
        • commentmysql-devel is earlier than 0:5.0.95-3.el5
          ovaloval:com.redhat.rhsa:tst:20130121007
        • commentmysql-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070875019
      • AND
        • commentmysql is earlier than 0:5.0.95-3.el5
          ovaloval:com.redhat.rhsa:tst:20130121009
        • commentmysql is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070875013
rhsa
idRHSA-2013:0121
released2013-01-08
severityLow
titleRHSA-2013:0121: mysql security and bug fix update (Low)
rpms
  • mysql-0:5.0.95-3.el5
  • mysql-bench-0:5.0.95-3.el5
  • mysql-debuginfo-0:5.0.95-3.el5
  • mysql-devel-0:5.0.95-3.el5
  • mysql-server-0:5.0.95-3.el5
  • mysql-test-0:5.0.95-3.el5

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 55715 CVE(CAN) ID: CVE-2012-4452 MySQL MyISAM是MySQL关系型数据管理系统5.5之前版本的默认存储引擎。 MySQL存在本地权限提升漏洞,本地攻击者可利用此漏洞提升在受影响计算机上的权限。 0 mysql 厂商补丁: mysql ----- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://dev.mysql.com/doc/refman/
idSSV:60413
last seen2017-11-19
modified2012-10-08
published2012-10-08
reporterRoot
titleMySQL MyISAM表格符号链接本地权限提升漏洞(CVE-2012-4452)