ID CVE-2005-0709
Summary MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit.
References
Vulnerable Configurations
  • MySQL MySQL 3.23.49
    cpe:2.3:a:mysql:mysql:3.23.49
  • MySQL MySQL 4.0.0
    cpe:2.3:a:mysql:mysql:4.0.0
  • MySQL MySQL 4.0.1
    cpe:2.3:a:mysql:mysql:4.0.1
  • MySQL MySQL 4.0.2
    cpe:2.3:a:mysql:mysql:4.0.2
  • MySQL MySQL 4.0.3
    cpe:2.3:a:mysql:mysql:4.0.3
  • MySQL MySQL 4.0.4
    cpe:2.3:a:mysql:mysql:4.0.4
  • MySQL MySQL 4.0.5
    cpe:2.3:a:mysql:mysql:4.0.5
  • MySQL MySQL 4.0.5a
    cpe:2.3:a:mysql:mysql:4.0.5a
  • MySQL MySQL 4.0.6
    cpe:2.3:a:mysql:mysql:4.0.6
  • MySQL MySQL 4.0.7
    cpe:2.3:a:mysql:mysql:4.0.7
  • MySQL MySQL 4.0.7 gamma
    cpe:2.3:a:mysql:mysql:4.0.7:gamma
  • MySQL MySQL 4.0.8
    cpe:2.3:a:mysql:mysql:4.0.8
  • MySQL MySQL 4.0.8 gamma
    cpe:2.3:a:mysql:mysql:4.0.8:gamma
  • MySQL MySQL 4.0.9
    cpe:2.3:a:mysql:mysql:4.0.9
  • MySQL MySQL 4.0.9 gamma
    cpe:2.3:a:mysql:mysql:4.0.9:gamma
  • MySQL MySQL 4.0.10
    cpe:2.3:a:mysql:mysql:4.0.10
  • MySQL MySQL 4.0.11
    cpe:2.3:a:mysql:mysql:4.0.11
  • MySQL MySQL 4.0.11 gamma
    cpe:2.3:a:mysql:mysql:4.0.11:gamma
  • MySQL MySQL 4.0.12
    cpe:2.3:a:mysql:mysql:4.0.12
  • MySQL MySQL 4.0.13
    cpe:2.3:a:mysql:mysql:4.0.13
  • MySQL MySQL 4.0.14
    cpe:2.3:a:mysql:mysql:4.0.14
  • MySQL MySQL 4.0.15
    cpe:2.3:a:mysql:mysql:4.0.15
  • MySQL MySQL 4.0.18
    cpe:2.3:a:mysql:mysql:4.0.18
  • MySQL MySQL 4.0.20
    cpe:2.3:a:mysql:mysql:4.0.20
  • MySQL MySQL 4.0.21
    cpe:2.3:a:mysql:mysql:4.0.21
  • MySQL MySQL 4.0.23
    cpe:2.3:a:mysql:mysql:4.0.23
  • MySQL MySQL 4.1.0 alpha
    cpe:2.3:a:mysql:mysql:4.1.0:alpha
  • MySQL MySQL 4.1.0.0
    cpe:2.3:a:mysql:mysql:4.1.0.0
  • MySQL MySQL 4.1.2 alpha
    cpe:2.3:a:mysql:mysql:4.1.2:alpha
  • MySQL MySQL 4.1.3
    cpe:2.3:a:mysql:mysql:4.1.3
  • MySQL MySQL 4.1.3 beta
    cpe:2.3:a:mysql:mysql:4.1.3:beta
  • MySQL MySQL 4.1.4
    cpe:2.3:a:mysql:mysql:4.1.4
  • MySQL MySQL 4.1.5
    cpe:2.3:a:mysql:mysql:4.1.5
  • MySQL MySQL 4.1.10
    cpe:2.3:a:mysql:mysql:4.1.10
CVSS
Base: 4.6 (as of 09-06-2005 - 23:14)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description MySQL 4.x CREATE FUNCTION Arbitrary libc Code Execution. CVE-2005-0709. Remote exploits for multiple platform
id EDB-ID:25209
last seen 2016-02-03
modified 2005-03-11
published 2005-03-11
reporter Stefano Di Paola
source https://www.exploit-db.com/download/25209/
title MySQL 4.x CREATE FUNCTION Arbitrary libc Code Execution
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2005_019.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2005:019 (mysql). MySQL is an Open Source database server, commonly used together with web services provided by PHP scripts or similar. This security update fixes a broken mysqlhotcopy script as well as several security related bugs: - CVE-2005-0709: MySQL allowed remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit. - CVE-2005-0710: MySQL allowed remote authenticated users with INSERT and DELETE privileges to bypass library path restrictions and execute arbitrary libraries by using INSERT INTO to modify the mysql.func table, which is processed by the udf_init function. - CVE-2005-0711: MySQL used predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. The first two vulnerabilities can be exploited by an attacker using SQL inject attack vectors into a flawed PHP application for instance.
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 17618
    published 2005-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17618
    title SUSE-SA:2005:019: mysql
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_619EF337949A11D9B81300D05964249F.NASL
    description SecurityFocus reports : MySQL is reported prone to an insecure temporary file creation vulnerability. Reports indicate that an attacker that has 'CREATE TEMPORARY TABLE' privileges on an affected installation may leverage this vulnerability to corrupt files with the privileges of the MySQL process. MySQL is reported prone to an input validation vulnerability that can be exploited by remote users that have INSERT and DELETE privileges on the 'mysql' administrative database. Reports indicate that this issue may be leveraged to load an execute a malicious library in the context of the MySQL process. Finally, MySQL is reported prone to a remote arbitrary code execution vulnerability. It is reported that the vulnerability may be triggered by employing the 'CREATE FUNCTION' statement to manipulate functions in order to control sensitive data structures. This issue may be exploited to execute arbitrary code in the context of the database process.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 18956
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18956
    title FreeBSD : mysql-server -- multiple remote vulnerabilities (619ef337-949a-11d9-b813-00d05964249f)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-334.NASL
    description Updated mysql packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17646
    published 2005-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17646
    title RHEL 2.1 / 3 / 4 : mysql (RHSA-2005:334)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_120292.NASL
    description SunOS 5.10 : mysql patch. Date this patch was last updated by Sun : Jun/27/08 This plugin has been deprecated and either replaced with individual 120292 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 19447
    published 2005-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19447
    title Solaris 10 (sparc) : 120292-02 (deprecated)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_120292-02.NASL
    description SunOS 5.10 : mysql patch. Date this patch was last updated by Sun : Jun/27/08
    last seen 2019-01-19
    modified 2019-01-18
    plugin id 107361
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107361
    title Solaris 10 (sparc) : 120292-02
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-348.NASL
    description Updated mysql-server packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 21926
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21926
    title CentOS 3 : mysql-server (CESA-2005:348)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-060.NASL
    description A number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server : If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CVE-2005-0709). If an authenticated user had INSERT privileges on the 'mysql' database, it was possible to load a library located in an arbitrary directory by using INSERT INTO mysql.func instead of CREATE FUNCTION. This also would allow the user to execute arbitrary code with the privileges of the user running the database server (CVE-2005-0710). Finally, temporary files belonging to tables created with CREATE TEMPORARY TABLE were handled in an insecure manner, allowing any local user to overwrite arbitrary files with the privileges of the database server (CVE-2005-0711). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 17601
    published 2005-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17601
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2005:060)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-348.NASL
    description Updated mysql-server packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 17981
    published 2005-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17981
    title RHEL 3 : mysql-server (RHSA-2005:348)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-96-1.NASL
    description Stefano Di Paola discovered three privilege escalation flaws in the MySQL server : - If an authenticated user had INSERT privileges on the 'mysql' administrative database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the database server (user 'mysql'). (CAN-2005-0709) - If an authenticated user had INSERT privileges on the 'mysql' administrative database, it was possible to load a library located in an arbitrary directory by using INSERT INTO mysql.func instead of CREATE FUNCTION. This allowed the user to execute arbitrary code with the privileges of the database server (user 'mysql'). (CAN-2005-0710) - Temporary files belonging to tables created with CREATE TEMPORARY TABLE were handled in an insecure way. This allowed any local computer user to overwrite arbitrary files with the privileges of the database server. (CAN-2005-0711) Matt Brubeck discovered that the directory /usr/share/mysql/ was owned and writable by the database server user 'mysql'. This directory contains scripts which are usually run by root. This allowed a local attacker who already has mysql privileges to gain full root access by modifying a script and tricking root into executing it. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20722
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20722
    title Ubuntu 4.10 : mysql-dfsg vulnerabilities (USN-96-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200503-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-200503-19 (MySQL: Multiple vulnerabilities) MySQL fails to properly validate input for authenticated users with INSERT and DELETE privileges (CAN-2005-0709 and CAN-2005-0710). Furthermore MySQL uses predictable filenames when creating temporary files with CREATE TEMPORARY TABLE (CAN-2005-0711). Impact : An attacker with INSERT and DELETE privileges could exploit this to manipulate the mysql table or accessing libc calls, potentially leading to the execution of arbitrary code with the permissions of the user running MySQL. An attacker with CREATE TEMPORARY TABLE privileges could exploit this to overwrite arbitrary files via a symlink attack. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17344
    published 2005-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17344
    title GLSA-200503-19 : MySQL: Multiple vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2005-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 19463
    published 2005-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19463
    title Mac OS X Multiple Vulnerabilities (Security Update 2005-007)
  • NASL family Databases
    NASL id MYSQL_MULTIPLE_FLAWS4.NASL
    description The remote host is running a version of MySQL which older than version 4.0.24 or 4.1.10a. Such versions are potentially affected by multiple issues. - MySQL uses predictable file names when creating temporary tables, which allows local users with 'CREATE TEMPORARY TABLE' privileges to overwrite arbitrary files via a symlink attack. (CVE-2005-0711) - A flaw exists that may allow a malicious user to gain access to unauthorized privileges when an authenticated user with 'INSERT' and 'DELETE' privileges bypasses library path restrictions using 'INSERT INTO' to modify the 'mysql.func' table. (CVE-2005-0709) - A flaw exists that may allow a mlicious user to load arbitrary libraries when an authenticated user with 'INSERT' and 'DELETE' privileges use the 'CREATE FUNCTION' command to specify and load an arbitrary custom library. (CVE-2005-0710)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17313
    published 2005-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17313
    title MySQL < 4.0.24 / 4.1.10a Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-707.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular database. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0957 Sergei Golubchik discovered a problem in the access handling for similar named databases. If a user is granted privileges to a database with a name containing an underscore ('_'), the user also gains privileges to other databases with similar names. - CAN-2005-0709 Stefano Di Paola discovered that MySQL allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls. - CAN-2005-0710 Stefano Di Paola discovered that MySQL allows remote authenticated users with INSERT and DELETE privileges to bypass library path restrictions and execute arbitrary libraries by using INSERT INTO to modify the mysql.func table. - CAN-2005-0711 Stefano Di Paola discovered that MySQL uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 18042
    published 2005-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18042
    title Debian DSA-707-1 : mysql - several vulnerabilities
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_120293-02.NASL
    description SunOS 5.10_x86 : mysql patch. Date this patch was last updated by Sun : Jun/27/08
    last seen 2019-01-19
    modified 2019-01-18
    plugin id 107863
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107863
    title Solaris 10 (x86) : 120293-02
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_120293.NASL
    description SunOS 5.10_x86 : mysql patch. Date this patch was last updated by Sun : Jun/27/08 This plugin has been deprecated and either replaced with individual 120293 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 19452
    published 2005-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19452
    title Solaris 10 (x86) : 120293-02 (deprecated)
oval via4
accepted 2013-04-29T04:06:00.918-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit.
family unix
id oval:org.mitre.oval:def:10479
status accepted
submitted 2010-07-09T03:56:16-04:00
title MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2005:334
  • rhsa
    id RHSA-2005:348
refmap via4
apple
  • APPLE-SA-2005-08-15
  • APPLE-SA-2005-08-17
bid 12781
bugtraq 20050310 Mysql CREATE FUNCTION libc arbitrary code execution.
debian DSA-707
gentoo GLSA-200503-19
mandrake MDKSA-2005:060
sunalert 101864
suse SUSE-SA:2005:019
trustix 2005-0009
ubuntu USN-96-1
vulnwatch 20050310 Mysql CREATE FUNCTION libc arbitrary code execution.
Last major update 17-10-2016 - 23:13
Published 02-05-2005 - 00:00
Last modified 03-10-2018 - 17:29
Back to Top