ID CVE-2003-0150
Summary MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf.
References
Vulnerable Configurations
  • MySQL MySQL 3.23.52
    cpe:2.3:a:mysql:mysql:3.23.52
  • MySQL MySQL 3.23.53
    cpe:2.3:a:mysql:mysql:3.23.53
  • MySQL MySQL 3.23.53a
    cpe:2.3:a:mysql:mysql:3.23.53a
  • MySQL MySQL 3.23.54
    cpe:2.3:a:mysql:mysql:3.23.54
  • MySQL MySQL 3.23.54a
    cpe:2.3:a:mysql:mysql:3.23.54a
  • MySQL MySQL 3.23.55
    cpe:2.3:a:mysql:mysql:3.23.55
CVSS
Base: 9.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description MySQL 3.23.x mysqld Privilege Escalation Vulnerability. CVE-2003-0150. Local exploit for linux platform
id EDB-ID:22340
last seen 2016-02-02
modified 2003-03-08
published 2003-03-08
reporter bugsman@libero.it
source https://www.exploit-db.com/download/22340/
title MySQL 3.23.x - mysqld Privilege Escalation Vulnerability
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-303.NASL
    description CAN-2003-0073: The mysql package contains a bug whereby dynamically allocated memory is freed more than once, which could be deliberately triggered by an attacker to cause a crash, resulting in a denial of service condition. In order to exploit this vulnerability, a valid username and password combination for access to the MySQL server is required. CAN-2003-0150: The mysql package contains a bug whereby a malicious user, granted certain permissions within mysql, could create a configuration file which would cause the mysql server to run as root, or any other user, rather than the mysql user.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15140
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15140
    title Debian DSA-303-1 : mysql - privilege escalation
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2003-057.NASL
    description In MySQL 3.23.55 and earlier, MySQL would create world-writeable files and allow mysql users to gain root privileges by using the 'SELECT * INTO OUTFILE' operator to overwrite a configuration file, which could cause mysql to run as root upon restarting the daemon. This has been fixed upstream in version 3.23.56, which is provided for Mandrake Linux 9.0 and Corporate Server 2.1 users. The other updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14041
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14041
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2003:057)
  • NASL family Databases
    NASL id MYSQL_3_23_56.NASL
    description The version of MySQL installed on the remote host is older than 3.23.56. As such, it reportedly creates world-writeable files. By restarting the MySQL daemon under root ID, a local attacker could gain root privileges.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17820
    published 2012-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17820
    title MySQL < 3.23.56 Writable Configuration Files
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2003-094.NASL
    description Updated packages are available that fix both a double-free security vulnerability and a remote root exploit security vulnerability found in the MySQL server. [Updated 11 Aug 2003] Updated mysqlclient9 packages are now included. These were previously missing from this erratum. MySQL is a multi-user, multi-threaded SQL database server. A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application. A remote root exploit vulnerability in mysqld, for MySQL before version 3.23.56, allows MySQL users to gain root privileges by overwriting configuration files. Previous versions of the MySQL packages do not contain the thread safe client library (libmysqlclient_r). All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.56.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 12378
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12378
    title RHEL 2.1 : mysql (RHSA-2003:094)
  • NASL family Databases
    NASL id SHN_MYSQL_PRIVILEGE_ESCALATION.NASL
    description The remote version of MySQL is older than 3.23.56. Such versions are affected by an issue that may allow the mysqld service to start with elevated privileges. An attacker can exploit this vulnerability by creating a 'DATADIR/my.cnf' that includes the line 'user=root' under the '[mysqld]' option section. When the mysqld service is executed, it will run as the root user instead of the default user.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 11378
    published 2003-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11378
    title MySQL datadir/my.cnf Modification Privilege Escalation
oval via4
accepted 2010-09-20T04:00:25.618-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
  • name Jonathan Baker
    organization The MITRE Corporation
description MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf.
family unix
id oval:org.mitre.oval:def:442
status accepted
submitted 2003-08-18T12:00:00.000-04:00
title MYSQL Privilege Escalation Vulnerability via INFO OUTFILE Select
version 37
packetstorm via4
data source https://packetstormsecurity.com/files/download/138678/mysql-rootprivesc.txt
id PACKETSTORM:138678
last seen 2016-12-05
published 2016-09-12
reporter Dawid Golunski
source https://packetstormsecurity.com/files/138678/MySQL-5.7.15-5.6.33-5.5.52-Remote-Code-Execution.html
title MySQL 5.7.15 / 5.6.33 / 5.5.52 Remote Code Execution
redhat via4
advisories
  • rhsa
    id RHSA-2003:093
  • rhsa
    id RHSA-2003:094
refmap via4
bid 7052
bugtraq
  • 20030308 MySQL_user_can_be_changed_to_root?
  • 20030310 Re: MySQL user can be changed to root
  • 20030318 GLSA: mysql (200303-14)
  • 20030318 [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql)
cert-vn VU#203897
conectiva CLA-2003:743
debian DSA-303
engarde ESA-20030324-012
mandrake MDKSA-2003:057
xf mysql-datadir-root-privileges(11510)
Last major update 17-10-2016 - 22:30
Published 24-03-2003 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top