Local Attacks Against MySQL
This section covers the following:
- Race conditions
- Overflows
- The MySQL file structure revisited
A few points are worth discussing in relation to local attacks on MySQL before dealing with the few specific attacks that fall into this section. First, MySQL determines the level of privilege given to a specific user by the host that the user is connecting from; normally, according the local host, the maximum privilege. From this perspective, local attackers can be much more dangerous than remote attackers. Second, it is common for MySQL hosts to be protected from the rest of the network by a firewall and SSH so that only authorized users can connect to MySQL. If a user has a means of running arbitrary code on the MySQL host, he will almost certainly be able to bypass the restriction and connect to MySQL without going through SSH first. Depending on the assumptions that have been made and the configuration of MySQL, this might be dangerous: for example, if the assumption is that it's OK to leave the password blank for the root account on localhost.
Race Conditions
Race condition attacks commonly affect Unix platforms, though the same category of attack could affect Windows platforms under some circumstances. The way that these race condition/symlink attacks work is as follows.
MySQL has historically been supplied with a number of scripts that make use of temporary files. In some cases these temporary files are created in insecure locations (for example ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
