MySql default [insecure] installation in debian
i recently updated my MySql server and i am currently using the version.5.0.38-Debian_1-log If you ever wondered how MySql saves data on your hard disk, then this is best explained here. I will quote from the same website
“Each database is a directory, with each table stored in a separate set of files. For an individual table, the .frm file contains information about the table structure â€” effectively, an internal representation of the CREATE TABLE statement. The .MYD file contains the row data, and the .MYI contains any indexes belonging with this table, as well as some statistics about the table. The data file contains only row data, with minimal overhead.”
Thus if you can read these directories/files, you can get hold of the database/table names respectively.
I looked on my debian box and these files are located in /var/lib/mysql folder. This folder is owned by user mysql and belongs to group mysql. Surprisingly, by default the permissions on this folder is 755. Thus a normal user on the box can list files and directories in the folder /var/lib/mysql and get hold of all the database names,which the MySQL server stores on this host
. However, the database directories in this folder are properly locked which denies an unprivlidged user to get tables information for databases. Although, the database mysql itslef allows directory listing but the files are not word readable. Thus a normal user cant read the file /var/lib/mysql/mysql/user.MYD which represent the table mysql.user and stores mysql username and encrypted password. 🙁
If you are able to find a local privelege escalation on a box and manage to get root access, how will you get hold of the data stored in the MySql database?
You will probably try to read the file /var/lib/mysql/mysql/user.MYD to get the Mysql Username and their password hash and would then try to crack these hashes. It then comes down to the complexity of the password and if the password is complex enough there are chances that you may still not be able to crack it. However, the story is a bit different if you are on a debian box. Debian has an inbuilt account debian-sys-maint which bydefault has privilieges equivalent to what you will have for root user. To make matter worse, the file /etc/mysql/debian.cnf contains the randomly generated clear text password for this user. However, this file is again not word readable. But if you got a privilege escalation on debian box, no need to crack the hashes, just issue the command: mysql –defaults-extra-file=/etc/mysql/debian.cnf and you will have the entire MySql server to play.