CVE-2005-0711 in MySQL
Summary
by MITRE
MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/28/2025
This vulnerability exists in mysql database versions 4.0.23 and earlier, as well as 4.1.x versions up to 4.1.10, where the software generates predictable file names when creating temporary tables. The flaw stems from insufficient randomization in the naming mechanism, allowing local users who possess CREATE TEMPORARY TABLE privileges to exploit this predictability through symbolic link attacks. The vulnerability is categorized under CWE-310 as a weakness related to cryptographic randomness, specifically in the generation of temporary file names. Attackers can manipulate the system by creating symbolic links with predictable names that match the expected temporary file paths, enabling them to overwrite arbitrary files on the system with data controlled by the attacker. This represents a privilege escalation vulnerability where local users can leverage their limited CREATE TEMPORARY TABLE permissions to achieve arbitrary file overwrite capabilities.
The operational impact of this vulnerability extends beyond simple file overwrites, as it can be exploited to compromise the integrity of the database system and potentially lead to broader system compromise. Attackers can use this technique to overwrite critical system files, configuration files, or even database files themselves, potentially leading to data corruption, unauthorized access, or complete system compromise. The vulnerability is particularly concerning in multi-user environments where users may have legitimate CREATE TEMPORARY TABLE privileges for database operations but should not have the ability to overwrite arbitrary system files. This weakness aligns with ATT&CK technique T1059.001 for command and script injection, as attackers can use the file overwrite capabilities to place malicious code in critical system locations. The predictability of temporary file names creates a vector for privilege escalation attacks and can be combined with other local exploitation techniques to achieve persistent access.
The recommended mitigations for this vulnerability involve immediate patching of affected mysql versions to the patched releases that implement proper randomization of temporary file names. Organizations should ensure that all mysql installations are updated to versions that address this specific weakness in temporary file generation. System administrators should also implement proper file system permissions and access controls to limit the ability of local users to create symbolic links that could be exploited. Additional protective measures include monitoring for unusual file creation patterns, implementing file integrity monitoring solutions, and ensuring that database users have the principle of least privilege. The vulnerability demonstrates the importance of proper randomization in security-critical operations, as outlined in NIST SP 800-90A guidelines for cryptographic random number generation. Organizations should also consider implementing database activity monitoring to detect potential exploitation attempts and maintain comprehensive audit trails to identify any unauthorized file modifications that may result from such attacks.