Montclair State University 12/12/2005 Department of Computer Science CMPT585 – Computer and Data Security New Attacks: MySQL DBMS vulnerability Course Project Student: Petras Cerniauskas Professor: Dr. Stefan Robila- 1 - Table of Contents Introduction.....................................................................................................................- 2 - How MySQL stores and manages user account information..........................................- 2 - Applied attacks and their strategy...................................................................................- 4 - What can be done to improve MySQL DBMS security .................................................- 6 - Summary.........................................................................................................................- 7 - References.......................................................................................................................- 9 -- 2 - 1. Introduction. Database Management System (DBMS) is one of the most important parts of any computing system. It is responsible not only for storing, retrieving and providing users with ability to modify the data, but also for integrity and security of that data. With the proliferation of the Internet and networking in general, the need for reliable and secure DBMS increased as well. Since most of the Enterprise quality DBMS are quite expensive and offer a broad spectrum of features that most users don’t really utilize, a lot of small to medium businesses turn to cheaper, somewhat limited Database Management Systems. One of such very popular DBMS is MySQL. MySQL provides an adequate performance, reliability and security for the price and it also comes as an open source product. This fact makes it even more attractive since source code can be used as an integral part of product documentation, without even mentioning ability to customize it. On the other hand, ability to peek at the internals of such a complicated system can compromise system’s security. The source code is easily available not only to potential customer but to the potential attacker as well. And if potential customer might be looking how to enhance system’s performance, reliability and security, potential attacker might be looking how to break or hack the system using weaknesses that are so much easier to spot having full source code. In my class project I tried to look at MySQL 5.0 DBMS for MS Windows with stock database engine reliability from the point of view of system security. I tried to analyze and find weaknesses in system operation, paying particular attention to the way MySQL manages user account information and the security controls it applies to make the system more robust. I tried to apply a few well known attacks and see how well the system handles them. Once security weaknesses have been discovered I tried to come up with the proposal how to fix them. 2. How MySQL stores and manages user account information. In order to be able to evaluate how secure particular DBMS is it is necessary to answer a few fundamental questions. First of all, what is security scheme that particular system implements and how that DBMS stores and manages user account information? Once we answer these questions we will be able to understand if there are any ways to compromise system’s security and then we will be able to draw conclusions how secure that system is. So let’s look how MySQL implements system security and how it maintains user account information. First let’s agree on some DBMS terminology. Giving access rights in MySQL as well as in most computing systems is called granting. If system administrator gives a particular user SELECT access rights for the particular database or table it’s said that administrator grants SELECT rights to the user. Contrary to other DBMS or computing systems access rights in MySQL are called privileges. So now, once we are clear on the terminology, let’s take a closer look at how MySQL manages user accounts and user privileges as well as how it applies those privileges to user requests. User account information storage. MySQL has a dedicated system database that performs user account and user privilege management function. This dedicated database is called “mysql”. And since MySQL DBMS data files for particular database are stored- 3 - in the directory for that database which is called the same way as the database, system database files are stored in the ..\data\mysql directory. MySQL DBMS creates three different files for each table in the database and names them with the table name and extensions FRM, MYD and MYI. MYD file is the actual data file where data for each field is stored. MYI file is an index file for that table. User account information is stored in the table called “user” of “mysql” database. This table contains user name, password, host fields as well as global privileges for that user. We will take a closer look at user privileges later. User authentication. Most computing systems authenticate users using user name and password technique. This is a standard way to manage user authentication process. MySQL DBMS takes user authentication method one step forward. In MySQL every user is assigned not only user name and password but also a host or a range of hosts that the user can initiate connection from. Host name does not have to be a machine name. It can be an IP address of the machine as well. So each MySQL DBMS user is uniquely identified as combination of two fields: UserName @ Host. In other words user “pcerniauskas @ 192.168.0.100” would be considered as different user than the user “pcerniauskas @ 192.168.0.101”. This is a very useful and welcome feature of DBMS on the way to tighter security scheme. If system administrator assigns each user account specific host name he can be sure that the same account will not be able to participate in DDoS attack. By the way, host column in the “user” table may contain wild card character ‘%’ which means that user is allowed to initiate connection to the server from any host