Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
Recent assessments:
wchen-r7 at September 12, 2019 6:07pm UTC reported:
Install
MySQL-client-community-5.1.66-1.rhel4.i386.rpm MySQL-shared-community-5.1.66-1.rhel4.i386.rpm
MySQL-server-community-5.1.66-1.rhel4.i386.rpm
Packages available here: <http://downloads.skysql.com/archive/index/p/mysql/v/5.1.66>
On a fresh CentOS install (minimal) mysql-libs are installed, it and its dependencies should be deleted with rpm -e (all at the same time).
Once installed add a user:
mysql> CREATE USER 'juan'@'%' IDENTIFIED BY 'mypass';
Query OK, 0 rows affected (0.00 sec)
And grant privileges:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'juan'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
Ready to test…
Start through mysqld_safe:
[root@localhost mysql]# /usr/bin/mysqld_safe --user=mysql
130712 07:23:38 mysqld_safe Logging to '/var/lib/mysql/localhost.localdomain.err'.
130712 07:23:38 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
lists.opensuse.org/opensuse-security-announce/2013-01/msg00001.html
lists.opensuse.org/opensuse-security-announce/2013-01/msg00020.html
rhn.redhat.com/errata/RHSA-2013-0180.html
seclists.org/fulldisclosure/2012/Dec/4
security.gentoo.org/glsa/glsa-201308-06.xml
www.exploit-db.com/exploits/23075
www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
www.ubuntu.com/usn/USN-1703-1
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611
kb.askmonty.org/en/mariadb-5528a-release-notes/
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16395
www.debian.org/security/2012/dsa-2581
www.openwall.com/lists/oss-security/2012/12/02/3