CVE-2004-0457
CVSS4.6
发布时间 :2004-09-28 00:00:00
修订时间 :2013-08-01 00:33:14
NMCOPS    

[原文]The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.


[CNNVD]MySQL Mysqlhotcopy脚本不安全临时文件创建漏洞(CNNVD-200409-080)

        使用mysql-server包scp类函数的mysql 4.0.20及其早期版本中mysqlhotcopy脚本存在漏洞。本地用户可以借助对临时文件的符号链接攻击覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10693The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrit...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0457
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0457
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200409-080
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17030
(VENDOR_ADVISORY)  XF  mysql-mysqlhotcopy-insecure-file(17030)
http://www.redhat.com/support/errata/RHSA-2004-597.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:597
http://www.debian.org/security/2004/dsa-540
(UNKNOWN)  DEBIAN  DSA-540
http://www.ciac.org/ciac/bulletins/p-018.shtml
(UNKNOWN)  CIAC  P-018

- 漏洞信息

MySQL Mysqlhotcopy脚本不安全临时文件创建漏洞
中危 设计错误
2004-09-28 00:00:00 2006-03-28 00:00:00
本地  
        使用mysql-server包scp类函数的mysql 4.0.20及其早期版本中mysqlhotcopy脚本存在漏洞。本地用户可以借助对临时文件的符号链接攻击覆盖任意文件。

- 公告与补丁

        Red Hat has released advisory RHSA-2004:569-16 and fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.
        SuSE has released advisory (SUSE-SA:2004:030), in the addendum of this advisory it is announced that a mysql fix to address this vulnerability is available on the SuSE updates FTP server:
        ftp://ftp.suse.com
        Gentoo has released an advisory (GLSA 200409-02) and an updated eBuild to address this issue on Gentoo Linux systems. Users are recommended to run the following sequence of commands as a superuser to apply this update:
        emerge sync
        emerge -pv ">=dev-db/mysql-4.0.20-r1"
        emerge ">=dev-db/mysql-4.0.20-r1"
        Debian has released an advisory (DSA 540-1) to address this issue. Please see the referenced advisory for more information.
        OpenBSD has applied fixes to the ports tree of OpenBSD-current, and the patch branches of 3.4 and 3.5. These patches are in CVS as of 23 Aug 2004.
        Mandrake Linux has released advisory MDKSA-2004:119 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.
        SuSE has released a security summary report (SUSE-SR:2004:001) to address this and other issues. The report indicates that a fix for this issue is available on the SuSE FTP server and also through the YaST Online Update utility. Customers are advised to peruse the referenced advisory for further details regarding obtaining and applying appropriate fixes.
        RedHat Fedora has made an advisory available (FEDORA-2004-530) dealing with this and other issues. Please see the referenced advisory for more information.
        TurboLinux has released Security Announcement 17/Feb/2005 dealing with this and other issues; please see the reference section for more information.
        A Fedora Legacy advisory FLSA:2129 is available to address this issue in Red Hat Linux 7.3, Red Hat Linux 9, and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.
        
        MySQL AB MySQL 3.23.49
        

- 漏洞信息 (F34087)

dsa-540.txt (PacketStormID:F34087)
2004-08-19 00:00:00
Debian  debian.org
advisory,arbitrary,local
linux,debian
CVE-2004-0457
[点击下载]

Debian Security Advisory DSA 540-1 - A The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 540-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 18th, 2004                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mysql
Vulnerability  : insecure file creation
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0457

Jeroen van Wolffelaar <jeroen@wolffelaar.nl> discovered an insecure
temporary file vulnerability in the mysqlhotcopy script when using the
scp method which is part of the mysql-server packge

For the stable distribution (woody) this problem has been fixed in
version 3.23.49-8.7 of mysql.

For the unstable distribution (sid) this problem has been fixed in
version 4.0.20-11 of mysql-dfsg.

We recommend that you upgrade your mysql-server package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.7.dsc
      Size/MD5 checksum:      875 0253bc04d4342b0b47be1ac4be381fcb
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.7.diff.gz
      Size/MD5 checksum:    62203 56ed69d5cf8f501a3dfcd26c5424967b
    http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
      Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.7_all.deb
      Size/MD5 checksum:    16966 0d4cd91f0862c147d2a4fcb190220e46
    http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.5_all.deb
      Size/MD5 checksum:  1962992 a4cacebaadf9d5988da0ed1a336b48e6

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_alpha.deb
      Size/MD5 checksum:   277782 84bbf59abaf73966c82c335af4e0ef33
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_alpha.deb
      Size/MD5 checksum:   778838 d40cc28047accb94bb6c2cad46c46830
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_alpha.deb
      Size/MD5 checksum:   163608 35b77731392a90711e8a0d4f4452380d
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_alpha.deb
      Size/MD5 checksum:  3634314 633ac1e9469ee237a98b591a48c3e07b

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_arm.deb
      Size/MD5 checksum:   238392 b75905023a478a1f94b5a7208ec8976e
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_arm.deb
      Size/MD5 checksum:   634684 371509a46f9810a8332435743a59ec68
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_arm.deb
      Size/MD5 checksum:   124018 c5502886cc95d7c30e61c37b5236c7ab
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_arm.deb
      Size/MD5 checksum:  2806166 8273e10a96155956e136d16308f0c733

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_i386.deb
      Size/MD5 checksum:   234728 d750bba77d074b2c08214a4079f71993
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_i386.deb
      Size/MD5 checksum:   576628 a56c5b97161e912ae083aa77aeceaeda
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_i386.deb
      Size/MD5 checksum:   122568 e2ca446cef57cffc83e3c4424436fb48
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_i386.deb
      Size/MD5 checksum:  2800660 83d57e469ffe22060c25cc7ad0275b90

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_ia64.deb
      Size/MD5 checksum:   315114 d4130def7e18f8df5b666a6a6f76e04c
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_ia64.deb
      Size/MD5 checksum:   848640 1c224cfb5bb1a353267111b5e5332340
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_ia64.deb
      Size/MD5 checksum:   173834 e12daa69c9d09caa8a2a89fe139ba2ae
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_ia64.deb
      Size/MD5 checksum:  4000194 0a9a09412a045fc321db24cae47855fd

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_hppa.deb
      Size/MD5 checksum:   280660 82775e57a5f2149525b22913360b1b7b
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_hppa.deb
      Size/MD5 checksum:   743766 a0ab2c3dee3a7f21353993beb69af4be
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_hppa.deb
      Size/MD5 checksum:   140656 9f420fba715ddddb8449c92f726cd535
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_hppa.deb
      Size/MD5 checksum:  3514790 24fe02cf3d7ad3a3e875ae5192248fe6

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_m68k.deb
      Size/MD5 checksum:   227724 6b369645a2ab31d3b9e3818376f96f14
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_m68k.deb
      Size/MD5 checksum:   557870 950f89f1e47451bcada42afbfc1616b3
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_m68k.deb
      Size/MD5 checksum:   118440 fcf4b08ce268a75860c30534bc24c7c3
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_m68k.deb
      Size/MD5 checksum:  2646646 d2280764c2e1f01bbfe3c3d4f168cf20

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_mips.deb
      Size/MD5 checksum:   250988 cccf9eeaa5124a56cf44746b1f041d67
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_mips.deb
      Size/MD5 checksum:   689130 88f5d5d1643099bd81706d64a6af3c2b
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_mips.deb
      Size/MD5 checksum:   133938 89f000380c7e3b13f87e8fca48e00e7e
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_mips.deb
      Size/MD5 checksum:  2848238 c970656b529ebe83d7e8b40e5b4cd8f6

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_mipsel.deb
      Size/MD5 checksum:   250664 e53634cf126c1568a9a4d594cd233497
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_mipsel.deb
      Size/MD5 checksum:   688600 072446a7a7f6c3a68a2a27b44fe86d93
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_mipsel.deb
      Size/MD5 checksum:   134302 a371a6148b5d8447fdd4bc351c60aaab
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_mipsel.deb
      Size/MD5 checksum:  2839356 9ddea423e6af652be2cccb798ee5b79b

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_powerpc.deb
      Size/MD5 checksum:   247750 d0834fcb13cd965944cd2e333fde4e1b
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_powerpc.deb
      Size/MD5 checksum:   652692 d95b165e3d32e7c0fed77894b26d4099
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_powerpc.deb
      Size/MD5 checksum:   129464 6c5a3a147f8addfb11468363ac9d359f
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_powerpc.deb
      Size/MD5 checksum:  2823174 a9b047917ec5434d43822012b71a7089

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_s390.deb
      Size/MD5 checksum:   250064 ff9145b181f1444666dad04737a150e0
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_s390.deb
      Size/MD5 checksum:   607144 0e83a668c929ced395cf3ca606e0f12c
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_s390.deb
      Size/MD5 checksum:   126464 68d3a65090e78b4f55b2a9a462a950fb
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_s390.deb
      Size/MD5 checksum:  2691100 45694091af758ba8caa1a377770f21f8

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.7_sparc.deb
      Size/MD5 checksum:   241270 4e646c1bb89ead3639a17687841520c2
    http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.7_sparc.deb
      Size/MD5 checksum:   615778 d8c22eaba1f675ee99e5b86f3eedbd5e
    http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.7_sparc.deb
      Size/MD5 checksum:   130430 fbd382e2af812d545810ea0dd3813ad6
    http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.7_sparc.deb
      Size/MD5 checksum:  2939782 9094961028c0f5d32fa1c5aebf5beec2

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBIwmqW5ql+IAeqTIRAi1+AJ9gPrR8ovOY2w4y1uYPMRDCaj1lKQCdE4aO
yQ846+VXr8T4FUQG/3x2jb0=
=/XFC
-----END PGP SIGNATURE-----
    

- 漏洞信息

9015
MySQL mysqlhotcopy Insecure Temporary File Creation
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

mysqlhotcopy within MySQL contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when mysqlhotcopy creates insecure temporary files. It is possible that the flaw may allow a malicious user to use specially crafted symlinks to arbitrarily ovewrite files resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-08-19 Unknow
2004-08-19 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Debian has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

MySQL Mysqlhotcopy Script Insecure Temporary File Creation Vulnerability
Design Error 10969
No Yes
2004-08-18 12:00:00 2009-07-12 06:16:00
Discovery is credited to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.

- 受影响的程序版本

S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
MySQL AB MySQL 4.0.20
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
MySQL AB MySQL 3.23.49
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4
Gentoo Linux 1.2
Gentoo Linux 1.1 a
Gentoo Linux 0.7
Gentoo Linux 0.5

- 漏洞讨论

mysqlhotcopy is reported to contain an insecure temporary file creation vulnerability. The result of this is that temporary files created by the application may use predictable filenames. This issue presents itself when the 'scp' method is used with the script.

A local attacker may also possibly exploit this vulnerability to execute symbolic link file overwrite attacks.

It was confirmed that this issue exists in mysqlhotcopy shipped with MySQL 3.23.49 and 4.0.20. Other versions of MySQL are likely to be affected as well. This BID will be updated as more information becomes available.

- 漏洞利用

No exploit is required.

- 解决方案

Red Hat has released advisory RHSA-2004:569-16 and fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

SuSE has released advisory (SUSE-SA:2004:030), in the addendum of this advisory it is announced that a mysql fix to address this vulnerability is available on the SuSE updates FTP server:
ftp://ftp.suse.com

Gentoo has released an advisory (GLSA 200409-02) and an updated eBuild to address this issue on Gentoo Linux systems. Users are recommended to run the following sequence of commands as a superuser to apply this update:
emerge sync
emerge -pv ">=dev-db/mysql-4.0.20-r1"
emerge ">=dev-db/mysql-4.0.20-r1"

Debian has released an advisory (DSA 540-1) to address this issue. Please see the referenced advisory for more information.

OpenBSD has applied fixes to the ports tree of OpenBSD-current, and the patch branches of 3.4 and 3.5. These patches are in CVS as of 23 Aug 2004.

Mandrake Linux has released advisory MDKSA-2004:119 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

SuSE has released a security summary report (SUSE-SR:2004:001) to address this and other issues. The report indicates that a fix for this issue is available on the SuSE FTP server and also through the YaST Online Update utility. Customers are advised to peruse the referenced advisory for further details regarding obtaining and applying appropriate fixes.

RedHat Fedora has made an advisory available (FEDORA-2004-530) dealing with this and other issues. Please see the referenced advisory for more information.

TurboLinux has released Security Announcement 17/Feb/2005 dealing with this and other issues; please see the reference section for more information.

A Fedora Legacy advisory FLSA:2129 is available to address this issue in Red Hat Linux 7.3, Red Hat Linux 9, and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.


MySQL AB MySQL 3.23.49

MySQL AB MySQL 4.0.20

S.u.S.E. Linux Personal 9.0 x86_64

S.u.S.E. Linux Personal 9.0

S.u.S.E. Linux Personal 9.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站