CVE-2005-0709 in MySQLinfo

Summary

by MITRE

MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/27/2025

This vulnerability exists in MySQL database versions 4.0.23 and earlier, as well as 4.1.x versions up to 4.1.10, representing a critical code execution flaw that can be exploited by authenticated users with specific privileges. The vulnerability stems from the insecure implementation of the CREATE FUNCTION statement within the MySQL database system, which allows malicious users to leverage the database's ability to load shared libraries and access underlying system functions. The flaw specifically enables attackers to access libc functions such as strcat, on_exit, and exit through the CREATE FUNCTION mechanism, effectively bypassing normal database security boundaries and gaining access to system-level functionality.

The technical exploitation of this vulnerability occurs when an authenticated user with both INSERT and DELETE privileges attempts to create a custom function using the CREATE FUNCTION statement. This statement, when improperly validated, allows attackers to reference system libraries and function calls that are normally restricted to the operating system level. The attack vector specifically targets the database's dynamic library loading capabilities, where the CREATE FUNCTION statement can load shared libraries from the system and subsequently call libc functions that are not properly sandboxed or restricted. The use of functions like strcat, on_exit, and exit demonstrates how attackers can chain together system calls to execute arbitrary code with the privileges of the database process, potentially leading to complete system compromise.

The operational impact of this vulnerability is severe as it transforms a database access control mechanism into a potential system exploitation vector. An attacker with minimal database privileges can escalate their access to arbitrary code execution, potentially allowing them to read sensitive data, modify database contents, or even take complete control of the database server. This vulnerability affects organizations that rely on MySQL for database operations, particularly those with less restrictive user privilege models where database users might be granted unnecessary INSERT and DELETE permissions. The impact extends beyond simple database compromise, as database servers often contain sensitive organizational data and may run with elevated privileges that can be leveraged for broader system access.

The vulnerability aligns with CWE-242, which describes the weakness of using potentially dangerous functions that can lead to code execution, and represents a classic example of insecure library loading and function pointer manipulation. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) as attackers can leverage the database functionality to execute system commands and escalate privileges. Organizations should immediately apply patches to MySQL versions affected by this vulnerability, implement strict privilege controls to minimize the number of users with INSERT and DELETE privileges, and consider network segmentation to limit access to database servers. Additionally, monitoring for unusual CREATE FUNCTION statements and implementing database activity logging can help detect potential exploitation attempts and provide early warning of security incidents.

Reservation

03/11/2005

Disclosure

05/02/2005

Moderation

accepted

Entry

2

Relate

show

CPE

ready

Exploit

Download

EPSS

0.18440

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!