12/19/2007

Focus On: MySQL remote code execution

Christmas is coming and Santa brought us a new interesting vulnerability about another database system: today it's the turn of one of the most spread and used RDBMS, MySQL.

MySQL 5 is in fact prone to a remote command execution vulnerability.

This vulnerability has been tested on Linux, with MySQL versions 5.0.45 and 5.0.51, the latest one.

This is a pre-authentication vulnerability so you won't even need a valid username and password but a GRANT from your IP on the database, to let the connection start.

Like all the database softwares, you won't find so many MySQL's exposed on the internet, while it can be very common in a Local Area Network.

Also, MySQL is often used in web application development, so most (all?) of the web hosting providers sell access to the MySQL server together with the web space.

By exploiting this vulnerability you will be able to access the content of all the databases present on the DBMS without needing a local privilege escalation since the files on the filesystem containing the database data are owned by the same user running MySQL.

If you buy this vulnerability you will receive a fully working PoC and all the technical details.

Of course, for further information don't hesitate to contact us via e-mail, and if you want to make a bid on the vulnerability, do it here.

1 comment:

Anonymous said...

When all this is done, you can talk about the number of lattice points contained within the closed disk of radius r. This is Gauß' circle problem. MathWorld has an entertaining discussion; you can use it as a starting point for estimation, the O-notation, and probably a few more things. Of course, this isn't something 9th graders could do too much work on................................................................................................................................................................