mysql-symlink-race kit
----------------------

This kit demonstrates a new privilege bypass attack on the INDEX/DATA DIRECTORY
options of MySQL's MyISAM storage engine.  The race inherent in the use of
realpath(3) to canonicalize the index/data path is exploited to defeat the check
that the path is outside the server data directory.  This attack allows any user
with shell access and CREATE/DROP TABLE privileges to gain read/write access to
an arbitrary table of known schema, e.g., the mysql.user table.  It uses the
filesystem maze concept from "Fixing Races for Fun and Profit: How to abuse
atime" <http://hatswitch.org/~nikita/papers/races.pdf>.

To perform the demonstration:
1. Run "make" to compile the necessary C programs.
2. Optional but recommended: Create and mount a filesystem to contain all the
   temporary files for the attack.  This ensures that the maze-creating script
   won't DoS your main filesystem if it goes awry for any reason.
3. Enter appropriate values in attack.conf and attack.my-cnf .
4. Run "./attack setup" to prepare the file structure and create a dummy table
   with INDEX/DATA DIRECTORY.
5. Run "./attack run" to attempt the attack.  You will be left in a MySQL
   client.  Issue a query to see whether the target table has been opened.  If
   necessary, adjust the timing parameters in attack.conf and try again.

This kit has been tailored for the specific sequence of steps performed by the
MySQL 5.1.46 server to open a table.  Minor changes to the server may prevent
this kit from working but are unlikely to fix the underlying vulnerability, so
that a very similar attack would still be possible.

- Matt McCutchen <matt@mattmccutchen.net>
