CVE-2012-5613
published 2012-12-03CVE-2012-5613: MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not…
PriorityP343medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
31.66%
98.1th percentile
MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | — | — |
| oracle | mysql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect FILE privilege abuse via MySQL query logs: look for 'SELECT ... INTO DUMPFILE' writing to Windows system32 or wbem/mof directories, or Linux /var/lib/mysql paths with .TRG/.TRN extensions. ↗
- →Monitor for creation of .mof files in C:\Windows\System32\wbem\mof\ by the MySQL service account (SYSTEM or mysql user), which indicates MOF execution exploitation. ↗
- →Monitor for .exe files written to the All Users Startup folder (e.g., C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\) by the MySQL process, indicating FILE privilege startup persistence abuse. ↗
- →Detect MySQL trigger file injection on Linux: alert on creation of .TRG or .TRN files under /var/lib/mysql/ by the mysql user outside of normal mysqld operation. ↗
- →Detect reconnaissance queries in MySQL general query log: 'SELECT @@version_compile_os' and 'SELECT @@tmpdir' issued in rapid succession may indicate automated exploitation attempts. ↗
- →Detect large hex-encoded payloads written via 'SELECT 0x<hex> INTO DUMPFILE' in MySQL query logs, which is the mechanism used to upload binary executables through the FILE privilege. ↗
- →On Linux, detect the stack-overrun crash pattern used to force mysqld respawn: a deliberate oversized GRANT statement (e.g., 'grant all on AAAA...*.* to ...') followed by reconnection is a key exploit step. ↗
- ·This vulnerability only applies when the MySQL FILE privilege has been granted to users who should not have administrative privileges. Properly restricting FILE privilege per installation documentation mitigates the risk. ↗
- ·The MOF execution vector (EDB-23179) is Windows-specific; the exploit checks for Windows via @@version_compile_os before proceeding. ↗
- ·The Linux trigger-file escalation vector (EDB-23077) requires the attacker to also trigger a MySQL server crash/respawn to force recognition of the injected .TRG file; a non-respawning configuration would break the exploit chain. ↗
- ·Red Hat determined this was not a security vulnerability for RHEL 5 and RHEL 6 mysql packages. ↗
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cvqp-6rwh-x2fj: ** DISPUTED ** MySQL 5
ghsa_unreviewed·2022-05-17
CVE-2012-5613 [MEDIUM] GHSA-cvqp-6rwh-x2fj: ** DISPUTED ** MySQL 5
** DISPUTED ** MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.
Red Hat
mysql: database privilege escalation using FILE privilege
vendor_redhat·2012-12-01·CVSS 6.0
CVE-2012-5613 [MEDIUM] mysql: database privilege escalation using FILE privilege
mysql: database privilege escalation using FILE privilege
MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.
Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.
No detection rules found.
Exploit-DB
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit)
exploitdb·2015-01-13
CVE-2012-5613 Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit)
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit)
---
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse',
'Description' => %q{
This module takes advantage of a file privilege misconfiguration problem
specifically against Windows MySQL servers. This module abuses the FILE
privilege to write a payload to Microsoft's All Users Start Up directory
which will execute every time a user logs in. The default All Users Start
Up directory used by the module is Windows 7 friendly.
},
'Author' =>
[
'sinn3r',
'Sean Verity
{
'DisablePayloadHandler' => 'true'
},
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5613'], #DISPUTED
['OSVDB', '88118'],
['EDB', '23083'],
['URL
Exploit-DB
Oracle MySQL (Windows) - MOF Execution (Metasploit)
exploitdb·2012-12-06
CVE-2012-5613 Oracle MySQL (Windows) - MOF Execution (Metasploit)
Oracle MySQL (Windows) - MOF Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Oracle MySQL for Microsoft Windows MOF Execution',
'Description' => %q{
This modules takes advantage of a file privilege misconfiguration problem
specifically against Windows MySQL servers (due to the use of a .mof file).
This may result in arbitrary code execution under the context of SYSTEM. However,
please note in order to use this module, you must have a valid MySQL account on
the target machine.
},
'Author' =>
[
'kingcope',
'sinn3r'
],
'License' => MSF_LICE
Exploit-DB
MySQL (Linux) - Database Privilege Escalation
exploitdb·2012-12-02
CVE-2012-5613 MySQL (Linux) - Database Privilege Escalation
MySQL (Linux) - Database Privilege Escalation
---
use DBI();
$|=1;
=for comment
MySQL privilege elevation Exploit
This exploit adds a new admin user.
By Kingcope
Tested on
* Debian Lenny (mysql-5.0.51a)
* OpenSuSE 11.4 (5.1.53-log)
How it works:
This exploit makes use of several things:
*The attacker is in possession of a mysql user with 'file' privileges for the target
*So the attacker can create files on the system with this user (owned by user 'mysql')
*So the attacker is able to create TRIGGER files for a mysql table
triggers can be used to trigger an event when a mysql command is executed by the user,
normally triggers are 'attached' to a user and will be executed with this users privilege.
because we can write any contents into the TRG file (the actual trigger file), we write
Metasploit
Oracle MySQL for Microsoft Windows MOF Execution
metasploit
Oracle MySQL for Microsoft Windows MOF Execution
Oracle MySQL for Microsoft Windows MOF Execution
This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. This module requires a valid MySQL account on the target machine.
Metasploit
Oracle MySQL for Microsoft Windows FILE Privilege Abuse
metasploit
Oracle MySQL for Microsoft Windows FILE Privilege Abuse
Oracle MySQL for Microsoft Windows FILE Privilege Abuse
This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up directory used by the module is present on Windows 7.
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.htmlhttp://seclists.org/fulldisclosure/2012/Dec/6http://secunia.com/advisories/53372http://security.gentoo.org/glsa/glsa-201308-06.xmlhttp://www.openwall.com/lists/oss-security/2012/12/02/3http://www.openwall.com/lists/oss-security/2012/12/02/4http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.htmlhttp://seclists.org/fulldisclosure/2012/Dec/6http://secunia.com/advisories/53372http://security.gentoo.org/glsa/glsa-201308-06.xmlhttp://www.openwall.com/lists/oss-security/2012/12/02/3http://www.openwall.com/lists/oss-security/2012/12/02/4
2012-12-03
Published